Business email compromise / compromise of business emails

Compromise of business email traffic (business email compromise or BEC for short) is when email traffic is infiltrated, compromised or manipulated. BEC also includes when someone impersonates a person in the company to get the recipient to share confidential information, make financial transactions or perform other actions that jeopardize the security of the company in the long term.

What do cybercriminals do?

Cybercriminals use various approaches to successfully carry out business email compromise attacks. On the one hand, social engineering tactics are used to carry out the fraud and, on the other hand, concrete, real compromises of email accounts and systems can be carried out.

1. fraud with social engineering

In cases where the attackers use targeted social engineering to trick their victims into certain actions, the threat actor has no real access to internal systems. The affected persons are contacted from external email addresses. To increase the attack’s chances of success, criminal hackers invest time and effort to make their deceptive attacks look as realistic as possible. They try to find out how the company is structured and organized, who the relevant people are and what responsibilities and accountabilities prevail. After gathering information, the criminals write emails in the name of an employee, the CEO or even a service provider or business partner and contact their targets. In order to better deceive potential victims, real e-mail addresses are imitated or only minimally changed so that the people concerned cannot easily recognize the fraud. A typical example of this would be CEO fraud.

2. compromise of e-mail accounts or systems

While in the above case the attacker only pretends to be part of the organization, in the second type of BEC attack he has real access to the email server or the email account of the victim or the person he pretends to be. This means that the attacker has access to the real e-mail account and is able, for example, to send e-mails from the compromised e-mail address or to read them using forwarding rules. It is also possible for criminal hackers to intercept and manipulate emails. Criminal hackers gain access to email accounts or systems through phishing attacks, the use of malware or security vulnerabilities in applications, among other things.

A practical case to illustrate this: New windows were installed at a company. After the work was completed, the final invoice was sent to the company. The accounting department complied with the request and paid the outstanding amount. Some time later, the company was contacted by the window installer and informed that the invoice was still outstanding. When the facts of the case were clarified, it emerged that the invoice the company had received had been manipulated and the payment information had been changed. As a cyberattack was suspected, the cyber forensics experts investigated the systems, emails, email server and invoice PDF. It turned out that the company’s email server had been compromised, allowing the email to be intercepted and manipulated by the attacker.

How do you protect yourself?

As an employee:

In relation to the above-mentioned attack patterns:

• Check whether the sender’s e-mail address is actually the corresponding e-mail or whether it contains unusual elements (extra letters or numbers, incorrect domain name, etc.).
• Pay attention to the way you speak, the wording and idioms.
• Keep a cool head even in stressful situations and don’t let yourself get rattled.
• Trust your instincts. If something seems strange to you, there is usually something to it.
• Get a second opinion or it is better to get too much insurance than too little.

In relation to other attack patterns, including phishing attacks:

• Always treat e-mail attachments and links with suspicion.
• Do not click on links or download attachments in e-mails that do not appear to be trustworthy.
• Only visit reputable websites.
• Do not click indiscriminately on pop-ups or banner ads.
• Only download and install programs or software applications from trustworthy sources.

As managing director:

• Technical protective measures such as an active firewall and spam filters are not enough to protect against cyber attacks, such as phishing attacks or various social engineering attacks. You need to focus on your employees and get them involved.
• Provide your employees with comprehensive and sustainable cyber security awareness training.
• Offer your staff regular training courses on current attack patterns or types of attack. Alternatively, you can also commission external service providers – such as Perseus – to train your employees.
• Promote a corporate culture in which employees are encouraged to ask questions and get a second opinion when in doubt.