It takes a thief to catch a thief, they say. So what can a thief teach us about BEC (Business Email Compromise), one of the most difficult to combat forms of computer theft?
BEC attacks
In a BEC attack, criminals impersonate or compromise the email account of somebody important inside a target organisation, such as the CEO. They then use the account to instruct more junior employees to make wire transfers, or to reveal sensitive information they can use to target other employees.
Attacks are on the rise and the amount of money that criminals are attempting to scam in each attack is increasing rapidly.
According to APWG, the average sum criminals tried to steal in BEC attacks went up massively in 2020, by an eye-watering 70%. By the end of the year crooks were attempting to scam $80,000 per attack.
What makes these attacks so dangerous is that they’re hard to stop, they work, and it seems that criminals can scale up their attacks faster than organisations can scale up their defences.
For the crooks, the same or similar tactics can be used over and over again by any number of attackers; attacks can be conducted from almost anywhere; and multiple simultaneous BEC scams can be run by the same person.
Because BEC is a kind of social engineering (a scam or confidence trick), stopping it relies on educating potential victims rather than upgrading or configuring a piece of software, or installing an appliance.
There are certainly technical steps that organisations should take to reduce the risk, but the buck ultimately stops at user education.
What’s needed is simple, memorable, focussed advice. And we found some, courtesy of the world’s most famous conman.
Two red flags
During a recent fall down a YouTube rabbit hole I came across a video by CNBC Television featuring Frank Abagnale, the famed conman immortalised by Leonardo DiCaprio in the film Catch Me If You Can.
Abagnale is a poacher-turned-gamekeeper who served the majority of his dept to society by helping the FBI catch conmen. He identifies two red flags. Every scam has one of them.
“In every scam, no matter how sophisticated or amateur, there are two red flags.”
Frank Abagnale
1. Urgent need for money
Abagnale explains that “…at some point I’m going to ask for money, and the money has to be immediately“.
BECs are no exception. They rely on the pressure an often isolated junior employee will feel when they’re asked by a senior employee to make a large financial transaction urgently.
Scammers don’t want victims to stop and think, or to talk to anyone else. Employees should feel empowered to take a breath and while they verify that a request for information is genuine.
They can do that by contacting the person making the request through a different communication channel, such as instant messaging, telephone or zoom.
2. Personal information
Abagnale’s second red flag is that “…at some point in the conversation I’m going to start asking you personal information“.
Scammers aren’t always after money. Sometimes they want to learn something that will make them more believable when they talk to the next person in your organisation.
Employees should feel empowered to say “no” while they verify that a request for information is genuine. As with the first red flag, they can do that by contacting the person making the request through a different communication channel, such as instant messaging, telephone or zoom.
Technical steps
Although BEC is primarily an attack aimed at people, it requires a behavioural rather than a technical response, but there are technical steps that organisations can take to limit their risk.
- Organisations should implement SPF and DKIM protocols, and a DMARC policy, to stop criminals using company email addresses outside their network.
- To stop criminals sending emails from inside their network, organisations need to invest in cybersecurity and threat-hunting teams.
- Finally, employees need awareness training, backed up by regular Red Team phishing exercises, to give them safe, practical experience of what a BEC attack might look like.