Across the globe, companies and organizations of all sizes have faced an increasing onslaught of the cyber-crime known as business e-mail compromise (BEC). Perpetrated by organized crime groups, BEC attacks have resulted in losses of billions of dollars over the last decade. So how do you prepare and protect your organization from BEC?
Providing solutions to this issue is why we’re here. This blog post represents the first installment of our six-part SecureSky series. This post provides an introduction to BEC attacks and reveals why this type of cyber-crime is rapidly increasing. If you are already familiar with BEC attacks, we encourage you to read Part 2, which explores recent BEC investigations and discusses how BEC attacks work against Office 365 (O365) environments.
Threat Uncovered: What Is Business E-Mail Compromise?
BEC is a class of cyber-crime that uses deception techniques – including social engineering (typically phishing) and trusted user impersonation – to commit financial fraud against businesses.
To achieve their objectives, perpetrators use a sequence of elaborate attacks and approaches that exploit users of software services like O365 (see diagram below).
The first three steps of BEC attacks consist of identification of phishing targets, execution of phishing attacks against those targets, and credential theft of victims who were compromised by the phishing attack. Once an attacker obtains a user’s credentials, the next step consists of extracting the victim's user data and contacts.
Attackers typically take one of three approaches against compromised users:
- If a user account has some responsibility for financial transactions, the attacker may attempt financial phishing of the user’s contacts (5a of Diagram)
- If the user has administrative privileges in the Office 365 tenant environment, the attacker could use the environment as a platform from which to base future attacks (5b of Diagram)
- The attacker could also leverage the user account contacts to continue credential phishing (5c of Diagram)
Threat Severity: What is the Impact of BEC?
We've seen BEC become a very systemic problem for organizations of any size. Attacks are growing rapidly in the U.S. especially. According to the FBI, BEC crimes cost U.S. businesses over $1.3 billion in 2018 alone and have been steadily increasing since 2016 (see below for losses figure).
From 2015 to 2107, Google and Facebook lost a combined amount of $123 million to a BEC cyber-attack that was organized by an individual in Lithuania. While the tech giants were able to recover the stolen funds, a majority of smaller businesses hit by these attacks are not so fortunate.
Threat Frequency: Why is BEC on the Rise?
The short answer as to why BEC attacks are increasing at an exponential rate is simply because it works, especially against Office 365 environments. Criminals have adopted this method of cyber-attack for several reasons, including:
They are inexpensive and easy to initiate – BEC attacks do not require the use of malware or 0-day exploits; BEC attacks typically start with phishing e-mails and can be executed at scale with minimal cost and expertise.
O365 Infrastructure Enables Sustainment – If an attacker can access an O365 account with administrative privileges in the O365 tenant, the compromised tenant environment can be used as a phishing platform to launch attacks against other organizations.
Potential High Financial Returns – If an attacker can compromise a user that has high trust relationships with other companies (e.g., an executive or employee who works in Accounts Payable or Billing departments), those relationships can be leveraged to commit financial fraud.
Minimal Risk – Because logging and auditing in O365 environments have historically been poor, and losses from BEC are typically distributed across several organizations so that significant financial losses do not occur for individual organizations, the chances of BEC actors being caught is low.
Threat Preparation: What Can You Do To Prepare For BEC Attacks?
Certainly, there are ways you can better prepare your organization for this cyber-attack. SecureSky has been arming customers with guidance and actionable insight to assist in combating this issue. Effective preparation for BEC includes three types of defense:
- Proper configuration and hardening of O365 environments
- Enablement of effective BEC detection capabilities in O365, as well as timely monitoring and analysis of detected threat events
- Training and technology support for employees to better understand BEC attacks and to identify signs that their O365 accounts may have been misused
With the right tools and training, risks of BEC attacks can be reduced.
We encourage you to follow the remainder of this series, as we will focus on key O365 configuration settings that organizations can implement to protect against BEC attacks (Part 3), logging and auditing capabilities in O365 that are indicative of BEC attacks and compromise (Part 4), and how employees can tell when they have been targeted by BEC (Part 5). The final post in this series will speculate about what a BEC organizational structure might look like (Part 6).
We also invite you to subscribe to our blog and stay informed on important cloud security issues.