WATCH Business Email Compromise – Day 22 of Cybersecurity Awareness Month
Shelly Miller 00:06
We’ve been learning a lot during Cybersecurity Awareness Month here in the US. And today’s topic is an interesting one about business email compromise with us to explain what it is, how it happens and how to protect ourselves from it, is Craig Taylor, Co founder and CEO of cyber. So Craig, what do we need to know about business email compromise?
Craig Taylor 00:25
Well, surely that’s a thank you for that introduction. And business email compromise is a very serious topic, and it happens all too frequently. And it can be devastating to the businesses that get hit.
To understand what it is you need to understand how hackers use trust to exploit us to break into our companies via phishing attacks, built based upon a trust relationship, I’ve investigated many security events involving business email compromise. And to start we’re going to explain what it is how it happens, how to prevent it, and finish with how to recover from it.
So let’s say what is business email compromise, it’s known as BEC is for short for the acronym, and it’s when an unknown person, a hacker without permission, gains access to your business email account.
Once in there, what they try to do is very damaging, they try to hide their presence by setting up special mail flow rules to copy messages out to themselves to another email address, but they do it in a way you can’t see it. They auto delete messages that they send, so you’re not aware of them being there. And they even run automated scripts to collect all the email addresses of everyone you’ve ever worked with or emailed so that they can then attack them using that trust relationship.
So if I was to get an email from Shelly, I know Shelly, I trust you, I would imagine that I would be more likely to open up an attachment or provide a credential to get particularly an invoice. If it’s a financial person, they often target financial officers at companies and then they send an invoice to everyone that that finance person has ever invoice before. But they put a credential check to get to the invoice from the trusted person so it can be really devastating, a devastating attack because there’s so much trust involved between Oh I know Shelly she’s the finance person over at mind world she’s sending me the invoice for this month. Oh, weird.
She put a password to get into it. I have to give my Google credentials or my Yep. Oh 365 credentials to get to the file. That’s strange. But I trust Shelly, so I’ll just provide them. And then you’ve given the hacker your credentials. So that’s what it is and how it happens. Let’s talk a little bit about what does this attack or how does this attack happen? It begins with the compromise of a single account, usually a finance person at a company they target with a spear phishing attack, crafted specifically for that one finance person based on all their research of the company, the social media accounts for that person, and anything else they can get, maybe even physically, they visited the company to find out more about this person, they get into that one account, they do that email scrape, then they create an invoice to anyone that’s ever received that an invoice from this person before they do the things we just talked about hiding their tracks, scraping emails, sending fake invoices, they moved.
So here’s an interesting part of this, in some of the investigations I’ve done, they move the communications out of the finance person’s email by creating a domain name that is called a look alike domain. It’s off by a single letter. So for example, Mindwhirl.com might have someone who’s trying to hack from your account, create a domain of Mindwhirl where the L in world is an uppercase I and so they can make it look at if you’re not paying attention, you’re just gonna see mindwhirl.com sent me an invoice. Shelly, I know this person, I’m gonna open it, trust it. And that exploit of trust is what gets so many people to give up their credentials or to install a file just by double clicking on this file that Shelly sent over, because I trust her. And then they just rinse and repeat. They’ll go into the subsequent mailboxes of other finance people and do the exact same thing. And so it it’s almost like a set of dominoes that once one starts to fall, they spread out into multiple lines, and then they spread out further into multiple, multiple lines. hackers can collect and have collected millions of accounts this way. So that’s why I call it the domino breach in a blog article. If you Google CyberHoot Domino Breach, you’ll find a whole triage of this type of event on our blogs.
Shelly Miller 04:58
Okay, great. So if I trusted someone I would be more likely to pay attention to their email and even possibly, you know, provide credentials to an invoice if I didn’t know what to look for in a phishing or social engineering attack. So Craig, can you tell us how we can protect ourselves and, and my company from these kind of attacks?
Craig Taylor 05:17
Absolutely. So there’s a few important steps, some are very effective, and absolute, and others are just best practices.
First of all, a technology protection that works well above and beyond anything else you can do is two factor authentication or multi factor, the moment you require a cell phone to authenticate into an email address, you break this, this attack technique, because they can only get the username and password out of you, they can’t get your mobile device.
So from a technical perspective, every single company today hearing this now, if you’re not on multi factor for your cloud based email, you have to stop what you’re doing. Even pause this Don’t delete it, or go away, leave it so you can come back and listen to the rest. But pause it and go turn on two factor authentication on your email, because you’ll be thankful that you avoid a breach by doing so.
The second third and fourth things I’m going to say right now are best practices that will help for other forms of attack. In addition to business email compromise, the first being education, access can be gained through phishing attacks, credential theft, and errors responding to emails, so you have to educate your users on social engineering on phishing, on all the nasty things that can happen when you’re online.
Unfortunately, the reality is nobody graduates from even an Ivy League college with this skills, these, what is social engineering and password hygiene skills. So it’s up to us to teach them and CyberHoot would love to be the one that helps you with that. An external email warning banner is a great trigger for your employees. I’ve seen others. Here’s another example of email compromised.
This is $26,000 in gift cards. And if if the president of the company emails you saying they need you to go buy gift cards, but there’s a banner warning that says this email came from outside the company, hopefully that’s a trigger that says this is a fake, it’s not really the president because his email comes from inside the company. So an external email warning banner is a great idea. And a spam filter. Spam filters are really good at identifying and blocking a lot of nuisance emails, but also malicious attachments, and repeated email messages that are likely phishing attacks that have been sprayed out at all your employees. So those four things are key to protecting yourself. But first and foremost, two factor authentication.
Shelly Miller 07:43
Okay, great. Those are good protections. But, Craig, I want to know, what if I’ve already been compromised? And how can I get access back to my accounts?
Craig Taylor 07:53
So that’s a that’s a great question. And you know, we’re trying to keep these videos short. So maybe we should do an extra one on this. There’s like 12 steps here, but I’ll give you the nuts and bolts of it. First thing you got to do is don’t panic, take a deep breath and begin to follow the steps outlined in the domino breach, which also links to how to recover a compromised email account.
There’s two articles on cyberhoot.com that I think I’d have to point you to, to follow the step by step 12 steps because you got to look at your recovery questions to get back into your email, they might have done that look at the rules that are in your email system to see if they created a rule to forward messages to other places, there’s just a lot to it, but it’s very easily done.
And you do have to be methodical about it and you do need to do it quickly because and probably the first thing is to change the password on your account so that you can eliminate the hacker from getting back in. So that’s number one. But it’s it goes a lot beyond our conversation in the time we have today. But you can definitely follow the almost paint by numbers instructions on the CyberHoot website. If you Google business, email compromised CyberHoot or how do I recover a compromised email account and the word CyberHoot and you’ll have the instructions that will become more aware to become more secure.
Mike Miller 09:12