Executive Summary
Business Email Compromise (BEC) is one of the most financially damaging cybercrimes. According to the Internet Crime Complaint Center (IC3), in 2020 the IC3 saw over $1.8 billion dollars in adjusted losses as a result of BEC.1
BEC attacks are all too common and there does not seem to be an end in sight. The question comes up time and time again, in Incident Response tabletop exercises, during penetration tests, in live incidents, and throughout our various security engagements with clients. “What can I do to prevent BEC?”
While we understand there are no silver bullets, the controls listed below are meant to be a detailed list of controls that can reduce the likelihood and impact of Business Email Compromise. These controls are a culmination of our experience working on BEC incidents and security engagements for our clients, our analysts experience and research as well as known industry best practices.
That being said, this list is not exhaustive, and it is not one-size-fits-all. It may not be feasible to implement some of these recommendations for a number of reasons. The controls your company implements should be based on your own risk assessment, your industry, and your data.
Lastly, preventing BEC is not the sole responsibility of IT nor is it the sole responsibility of the business units. Business Email Compromise must be seen as a threat to the company as a whole and must be treated as such. That means IT and business units must come together to design and implement both technical and non-technical controls and senior leadership should be involved in those discussions.
Control Areas
- IT Controls
These are the technical controls that we have seen play an important role in preventing BEC. These would typically be implemented and maintained by your IT team or MSP. - Business Controls
The controls in this section pertain to business units and their policies and procedures that promote strong defense against BEC. - Financial Controls
While shorter than the other two sections, it is one of the most important. This section speaks to controls that accounts payable, for example, can implement or improve to prevent BEC.
IT Controls
🔲 IT.1 Using Unique, Strong Passwords and Multifactor Authentication
It is no secret that one of the most critical assets for any company are their credentials. The service Have I Been Pwned, which allows you to search various data breaches to see if your email address has been compromise, has more than 600 million passwords anyone can sift through.3
One of the most foundational and also highly critical aspects of security is unique and strong passwords. It’s all too common we see passwords reused for multiple sites or services and it’s equally as common that we see weak passwords like ‘Summer2021!’. Multifactor authentication, while not fool proof in of itself, ends up being the last line of defense.
While it’s not perfect and not enough alone, strong, and unique passwords should be used in combination with multifactor authentication for all email, banking software and other online financial services and anything else of value exposed to the internet.
🔲 IT.2 Disable External Email Forwarding & Regularly Review Active Forwarding Rules
Email forwarding can be useful, but it also poses a security risk due to the potential to unknowingly disclose information or perpetuate social engineering attacks against your companies’ clients or partners. It’s recommended that you do not allow forwarding emails to external domains and implement a process for regularly reviewing all active forwarding rules. If external email forwarding is required, it should be allowed on a case-by-case basis and be well documented.
Just as there are a number of ways for users to enable email forwarding there are a number of ways administrators can restrict or prevent external email forwarding rules. If you’re a Microsoft 365 customer, one way this can be done is by using transport rules, which can be found in the Microsoft 365 Admin Center and the Exchange Admin Center.
If you are a Microsoft customer, Defender for Office 365 has some really nice features such as disabling external email forwarding by default as well alerts that detect suspicious forwarding related activity to name a few.
🔲 IT.3 Enable Mailbox Audit Logging for All Accounts
Without logs, it’s very difficult to have a successful investigation of a potential business email compromise. During an investigation, you will need to know what actions a user performed and when. In Microsoft 365 this information is captured in what’s called mailbox audit logs. With mailbox audit logging enabled you will be able to see events for things like when a user creates a new inbox rule.
Check to verify that mailbox audit logging is enabled and if not, enable it. It’s available for all Microsoft 365 licensing levels and there is no impact to users.
🔲 IT.4 Disable Legacy Authentication Protocols
Protocols that use basic authentication typically do not support multifactor authentication. This includes POP3, IMAP, and SMTP. Single-factor authentication (e.g., username and password) should not be considered sufficient for protecting anything of value. In the Microsoft world, you can create Conditional Access policies to govern and/or block legacy authentication protocols.
If these protocols are required for a business purpose, they should only be granted as needed for specific users. This should be well documented and reviewed periodically to ensure such access is still required.
🔲 IT.5 Configure Centralized Logging & Create Alerts for Suspicious Activity
You want to make sure you’re collecting logs and sending them to a centralized location, preferable to a Security Information and Event Management (SIEM) tool where you can build alerts when suspicious activity is detected. What logs you may ask? Well since we’re talking about BEC you definitely want to be sending Microsoft 365 logs to your SIEM. You also want to include logs from other sources as well such as your Firewalls, workstations, and endpoint protection product.
Suspicious activity related to BEC you may want to alert on would be things like successful logins from out of the country, a new external email forwarding rule created, or authentication using legacy protocols.
Business Contols
🔲 BUS.1 Implement a Security Awareness Training Program
If we had to pick one thing to start doing immediately if you’re not already, it would be to implement a security awareness training program for all users, especially those who deal with finances and other sensitive information.
In order for users to not fall victim to BEC, they first must be aware of the threat. They must then learn what the red flags are through educational content and simulated phishing. Finally, they must be trained on what to do when they see something suspicious. Only with those three components can you begin to see behaviors change and only then will you be able to spot business email compromise early on.
🔲 BUS.2 Determine Wire Transfer Authority
Determining authority is all about defining who can do what, when and when it comes to wire transfers, how much. This should be simple and straightforward and should be documented and sent to everyone involved in payment processes, wire transfers, etc.
An authority list typically contains the names of people who can perform certain actions, such as a wire transfer. It will describe the amounts those people can request and/or approve, if they need additional approval and if there are any threshold amounts that invoke additional controls such as verification or approval by senior leadership.
This control ties directly into FIN.1 and FIN.2 because you should be reviewing this list regularly and you should have dual control, at least for transactions over a certain threshold.
🔲 BUS.3 Follow a Standardized Process, No Exceptions
Bad actors who are attempting to defraud your company are hoping that you will succumb to the pressure and urgency of their request and deviate from your process. It’s all too easy to fall victim to BEC when you do not have a well-defined process, that is followed vigilantly, without exception. That sounds great on paper, but in reality, sometimes exceptions are made, but they should not be made lightly or without documentation and additional oversight.
Your process should include how vendor setup is done including a vetting & approval process. All of which should have supporting documentation. This should all happen prior to paying any disbursements.
🔲 BUS.4 Report BEC to The Internet Crime Complaint Center
The IC3 Recovery Asset Team (RAT) was established in 2018 to streamline communication with financial institutions and assist FBI field offices with the freezing of funds for victims who made transfers to domestic accounts under fraudulent pretenses. Through the RAT, IC3 worked with its partners to successfully freeze approximately $380 million of the $462 million in reported losses in 2020, representing a success rate of nearly 82%.1
According to the 2021 Verizon Data Breach Investigations Report, when the IC3 RAT acts on BECs, and works with the destination bank, half of all US-based business email compromises had 99% of the money either recovered or frozen, whereas only 11% had nothing at all recovered.2
🔲 BUS.5 Check Your Business Insurance
Cyber liability insurance commonly covers costs related to data breaches, however, fraud is another question altogether. While cyber liability insurance can help cover costs related to data restoration, loss of income and possibly even extortion, you may need specific coverages or even a separate policy to cover cyber fraud. In the insurance world, you may hear this referred to as “computer fraud”, or “funds transfer fraud” or even “social engineering fraud.” Provisions in these policies cover different types of fraud and contain different types of exclusions.
Some questions to ask when reviewing your insurance policies are: Does my insurance cover financial loss due to cyber fraud or business email compromise attacks? How do I know? Do I understand what is covered and not covered by my insurance policies? Do I understand what my reporting requirements -are when something bad happens?
Check your insurance policies to ensure you have adequate coverage and make it a regular event on your calendar to review your policy every year to ensure those coverages continue to be adequate.
Financial Controls
🔲 FIN.1 Implement Dual Approval
One of the most important financial controls for preventing BEC is the concept of dual approval. Dual approval is a process by which one person initiates or requests a wire transfer and a separate person approves the transaction. It sounds simple, and it is, but there are some key components that we see are often missing.
There should always be documentation to support the transaction. The vendor should already be set up, see BUS.3. The person responsible for approving the transaction (see BUS.2) should review the initial request and the supplied documentation. Next, and this is the most important part, they should confirm the transaction with the requester. The recommended method to do this is through verbal communication. For example, the approver could call the requester using the phone number on record, not one provided by the requester, to approve the transaction.
🔲 FIN.2 Audit & Verify Permissions Regularly
As they say, trust but verify. Regularly reviewing access to banking and payment processing applications as well as application permissions is important in order to validate that only users with a business need have access and that their permissions are correctly defined for their role and responsibility.
It may seem trivial, but what we have found is that it’s easy for access control and permissions to go awry. Maybe you have users out on vacation or maybe paternity leave, and you need to have some people fill in temporarily. It’s easy to forget to remove users once they no longer need access. It’s also equally easy to not be as diligent as you should because of the “they may need to help again, so I will just leave it for now” mentality.
🔲 FIN.3 Review Bank Activity More Frequently
The sooner you identify fraud, the easier it is to recover from it. Your company may have thousands of transactions per day, maybe more. If that’s the case and you wait until the end of the month to review those transactions, you could be sifting through tens of thousands of transactions. Waiting this long means you may not be aware of fraudulent transactions until weeks after they occur. At that point, it could be more difficult to recover lost funds.
Review and understand your banking activity and transaction volume. Consider if you may be able to increase how often you review banking activity. Try weekly or maybe even daily.
Also, keep in mind that your banking institution could also fall victim to fraud and scams. Reviewing banking activity more regularly is a check and balance for your company just as much as it is for your bank.
1 https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf
2 https://www.verizon.com/business/resources/reports/dbir/
3 https://haveibeenpwned.com/Passwords
