Business Email Compromise Prevention and Mitigation

Executive Summary

Business Email Compromise (BEC) is one of the most financially damaging cybercrimes. According to the Internet Crime Complaint Center (IC3), in 2020 the IC3 saw over $1.8 billion dollars in adjusted losses as a result of BEC.¹

BEC attacks are all too common and there does not seem to be an end in sight. The question comes up time and time again, in Incident Response tabletop exercises, during penetration tests, in live incidents, and throughout our various security engagements with clients. “What can I do to prevent BEC?”

While we understand there are no silver bullets, the controls listed below are meant to be a detailed list of controls that can reduce the likelihood and impact of Business Email Compromise. These controls are a culmination of our experience working on BEC incidents and security engagements for our clients, our analysts experience and research as well as known industry best practices.

That being said, this list is not exhaustive, and it is not one-size-fits-all. It may not be feasible to implement some of these recommendations for a number of reasons. The controls your company implements should be based on your own risk assessment, your industry, and your data.

Lastly, preventing BEC is not the sole responsibility of IT nor is it the sole responsibility of the business units. Business Email Compromise must be seen as a threat to the company as a whole and must be treated as such. That means IT and business units must come together to design and implement both technical and non-technical controls and senior leadership should be involved in those discussions.

Control Areas

• IT Controls
  These are the technical controls that we have seen play an important role in preventing BEC. These would typically be implemented and maintained by your IT team or MSP.
• Business Controls
  The controls in this section pertain to business units and their policies and procedures that promote strong defense against BEC.
• Financial Controls
  While shorter than the other two sections, it is one of the most important. This section speaks to controls that accounts payable, for example, can implement or improve to prevent BEC.

IT Controls

🔲 IT.1 Using Unique, Strong Passwords and Multifactor Authentication

It is no secret that one of the most critical assets for any company are their credentials. The service Have I Been Pwned, which  allows you to search various data breaches to see if your email address has been compromise, has more than 600 million passwords anyone can sift through.³

One of the most foundational and also highly critical aspects of security is unique and strong passwords. It’s all too common we see passwords reused for multiple sites or services and it’s equally as common that we see weak passwords like ‘Summer2021!’. Multifactor authentication, while not fool proof in of itself, ends up being the last line of defense.

While it’s not perfect and not enough alone, strong, and unique passwords should be used in combination with multifactor authentication for all email, banking software and other online financial services and anything else of value exposed to the internet.

🔲 IT.2 Disable External Email Forwarding & Regularly Review Active Forwarding Rules

Email forwarding can be useful, but it also poses a security risk due to the potential to unknowingly disclose information or perpetuate social engineering attacks against your companies’ clients or partners. It’s recommended that you do not allow forwarding emails to external domains and implement a process for regularly reviewing all active forwarding rules. If external email forwarding is required, it should be allowed on a case-by-case basis and be well documented.

Just as there are a number of ways for users to enable email forwarding there are a number of ways administrators can restrict or prevent external email forwarding rules. If you’re a Microsoft 365 customer, one way this can be done is by using transport rules, which can be found in the Microsoft 365 Admin Center and the Exchange Admin Center.

If you are a Microsoft customer, Defender for Office 365 has some really nice features such as disabling external email forwarding by default as well alerts that detect suspicious forwarding related activity to name a few.

🔲 IT.3 Enable Mailbox Audit Logging for All Accounts

Without logs, it’s very difficult to have a successful investigation of a potential business email compromise. During an investigation, you will need to know what actions a user performed and when. In Microsoft 365 this information is captured in what’s called mailbox audit logs. With mailbox audit logging enabled you will be able to see events for things like when a user creates a new inbox rule.

Check to verify that mailbox audit logging is enabled and if not, enable it. It’s available for all Microsoft 365 licensing levels and there is no impact to users.

🔲 IT.4 Disable Legacy Authentication Protocols

Protocols that use basic authentication typically do not support multifactor authentication. This includes POP3, IMAP, and SMTP. Single-factor authentication (e.g., username and password) should not be considered sufficient for protecting anything of value. In the Microsoft world, you can create Conditional Access policies to govern and/or block legacy authentication protocols.

If these protocols are required for a business purpose, they should only be granted as needed for specific users. This should be well documented and reviewed periodically to ensure such access is still required.

🔲 IT.5 Configure Centralized Logging & Create Alerts for Suspicious Activity

You want to make sure you’re collecting logs and sending them to a centralized location, preferable to a Security Information and Event Management (SIEM) tool where you can build alerts when suspicious activity is detected. What logs you may ask? Well since we’re talking about BEC you definitely want to be sending Microsoft 365 logs to your SIEM. You also want to include logs from other sources as well such as your Firewalls, workstations, and endpoint protection product.

Suspicious activity related to BEC you may want to alert on would be things like successful logins from out of the country, a new external email forwarding rule created, or authentication using legacy protocols.

Business Contols

🔲 BUS.1 Implement a Security Awareness Training Program

If we had to pick one thing to start doing immediately if you’re not already, it would be to implement a security awareness training program for all users, especially those who deal with finances and other sensitive information.

In order for users to not fall victim to BEC, they first must be aware of the threat. They must then learn what the red flags are through educational content and simulated phishing. Finally, they must be trained on what to do when they see something suspicious. Only with those three components can you begin to see behaviors change and only then will you be able to spot business email compromise early on.

🔲 BUS.2 Determine Wire Transfer Authority

Determining authority is all about defining who can do what, when and when it comes to wire transfers, how much. This should be simple and straightforward and should be documented and sent to everyone involved in payment processes, wire transfers, etc.

An authority list typically contains the names of people who can perform certain actions, such as a wire transfer. It will describe the amounts those people can request and/or approve, if they need additional approval and if there are any threshold amounts that invoke additional controls such as verification or approval by senior leadership.

This control ties directly into FIN.1 and FIN.2 because you should be reviewing this list regularly and you should have dual control, at least for transactions over a certain threshold.

🔲 BUS.3 Follow a Standardized Process, No Exceptions

Bad actors who are attempting to defraud your company are hoping that you will succumb to the pressure and urgency of their request and deviate from your process. It’s all too easy to fall victim to BEC when you do not have a well-defined process, that is followed vigilantly, without exception. That sounds great on paper, but in reality, sometimes exceptions are made, but they should not be made lightly or without documentation and additional oversight.

Your process should include how vendor setup is done including a vetting & approval process. All of which should have supporting documentation. This should all happen prior to paying any disbursements.

🔲 BUS.4 Report BEC to The Internet Crime Complaint Center

The IC3 Recovery Asset Team (RAT) was established in 2018 to streamline communication with financial institutions and assist FBI field offices with the freezing of funds for victims who made transfers to domestic accounts under fraudulent pretenses. Through the RAT, IC3 worked with its partners to successfully freeze approximately $380 million of the $462 million in reported losses in 2020, representing a success rate of nearly 82%.¹

According to the 2021 Verizon Data Breach Investigations Report, when the IC3 RAT acts on BECs, and works with the destination bank, half of all US-based business email compromises had 99% of the money either recovered or frozen, whereas only 11% had nothing at all recovered.²

🔲 BUS.5 Check Your Business Insurance

Cyber liability insurance commonly covers costs related to data breaches, however, fraud is another question altogether. While cyber liability insurance can help cover costs related to data restoration, loss of income and possibly even extortion, you may need specific coverages or even a separate policy to cover cyber fraud. In the insurance world, you may hear this referred to as “computer fraud”, or “funds transfer fraud” or even “social engineering fraud.” Provisions in these policies cover different types of fraud and contain different types of exclusions.