Business email compromise (BEC) scams cost businesses $5.3 billion from 2013 to 2016. BEC fraud is a problem for companies of all sizes and all sectors. In fact, in Q4 of 2017, almost 89% of companies had experienced at least one email fraud attack. A BEC scam starts with an email and ends with a company losing thousands and sometimes millions of dollars to a cybercriminal.
BEC scams come in several guises: CEO impersonation, whaling and invoice modification. The underlying deception is based on spoofing or hijacking the email account of a usually senior person in the organization, e.g., a CEO or CFO. The trick relies on behavioral factors such as trust and urgency, but often starts with a phishing email and stolen credentials.
When a BEC spoof email enters an inbox, it can be difficult to spot because it often originates from a hijacked account. The email will often also carry a sense of urgency such as “if this money is not transferred by noon, we will miss out on a major deal.” Playing on human behavioral traits like trust drives the success of the BEC scam.
Modification of behavior using security awareness training is one option for tackling BEC crime. However, this should be augmented by utilizing multi-factor authentication (MFA) to prevent email account compromise.
How Weak Credentials & Data Breaches Lead to Business Email Compromise
The days of using only a password to access web accounts or company IT systems are fast becoming a thing of the past. And for good reason. Many of the major breaches of modern times have begun through the exposure of login credentials. A 2016 report found 97% of Fortune 1000 companies suffered from employee credential exposure, leaving them open to a data breach. The 2017 Verizon Data Breach Investigation Report concurs with this, finding that 81% of data breaches are due to weak or stolen passwords. In 2017, some of the highest profile attacks, such as the Uber and Equifax breaches, originated through exposed administration credentials. Breaches which occur because of exposed credentials can be limited in their impact using multi-factor authentication.
What is Multi-Factor Authentication?
Authentication is a key requirement when carrying out transactions online, which makes it a potential area of weakness in any system. The term factor used when describing authentication covers the general elements:
- Something a user knows: A username/email address, coupled with a password. This is often referred to as a first factor.
- Something a user has: A mobile device which can receive an SMS text code and be used to login to a system.
- Something a user is: Usually presented as a biometric, such as a fingerprint.
Authentication mechanisms can use a single-factor, two-factor (2FA) or multi-factor (MFA) system based on the above elements. 2FA can be thought of as a subset of MFA. The factors can be exemplified as below, but are not restricted to these examples:
- Single-factor: User enters a username and password.
- Two-factor (2FA): User logs in using a username and password, plus enters a one-time-password (OTP) received via a smartphone app.
- Multi-factor (MFA): The two factors above are used, plus another factor (e.g., a voice biometric).
- Risk-based MFA: This method applies rules based on a dynamic risk assessment whenever a credential is used. For example:
Rule = is the credential being used from an unknown IP address, or a blacklisted location?
If yes, force MFA; if no, allow first factor only.
By adding extra layers of credentials to prove the person signing in is truly who they say they are, you make it harder for the cybercriminal to carry out an attack. Adding in extra layers of authentication is equivalent to adding extra layers of trust to a process. Using credentials which are more closely tied to the individual takes away the likelihood credentials can be exposed and used. Second and multi-factors include SMS text code, codes received via a smartphone app, email code, hardware device, voice biometrics and so on.
Using Second Factor to Fight Business Email Compromise
It is this extra layer of trust that can help in the fight against BEC attempts. The cybercriminal carrying out the BEC scam is looking for the weakest link in the chain of a financial transaction.
A typical example of a BEC scam using this trust exploitation was the Hawkeye BEC scam of 2015. Cybercriminals behind the attack used key logger malware to capture the credentials used to control access to company email accounts. These credentials were first factor (username/password) only. Once the credentials were in the hands of the scammers, they were able to login to company email accounts and pose as legitimate persons known to the organization. They then did a “change of supplier” process to have money transferred to their bank account.
In the end, $75 million was stolen using this scam. Hacks of this nature often begin with a spearphishing email. If the email accounts were protected using 2FA or MFA, the scammers would have to also steal the second or even third factor. This is much more difficult to do, but not impossible. Factors such as SMS text code, are less secure than they used to be, with NIST deprecating the use of SMS code as a second factor in future guidelines. However, SMS text code is still of value. Other second factors, such as time-based one time passwords (TOTP) are robust and cheap alternative options to SMS text codes.
Fighting BEC With A Multi-Layered Security Approach
Business email compromise uses a mix of technology and social engineering to gain access to monies. To protect your organization against the tide of BEC campaigns, you need to use a mix of security awareness, human-centered security and multi-factor authentication. The first two of these measures ensure your company has a culture of security in place. This culture helps make people aware of scams and puts in place human measures of checks and balances to prevent misappropriation of monies. Applying a technology layer like MFA will add an extra dimension of security to help prevent the hacking of email accounts in the first place.
Getting security right is a multi-layered exercise. You will need to draw upon technical and human-centered strategies to counter the ever-complex nature of cybercrime. Using robust multi-factor authentication is part of your armory against BEC scams.