I recently received an interesting email from a business that my firm has worked with. The content of the message was supposedly an electronic fax.
I knew the email was suspect just based on how the electronic fax was handled. Our firm has a separate and known fax number. Typically, the only time electronic faxes are sent to inboxes is when we have instructed someone to do so.
When I replied to the email, it was clear that the attacker had not only taken control of the business’s mail server but had set up automatic email rules to respond saying the email was legitimate and that I should open the file and follow the instructions.
Because the email contained only links and did not have any direct malicious content, several staff members received it. Not only did the email get through all my spam filters, but the message had been set up with automatic mail rules to enable a response to any correspondence that the account received. This is a classic case of business email compromise (BEC).
According to the Internet Crime Complaint Center (IC3), BEC schemes resulted in more than $1.7 billion in worldwide losses in 2019. The FBI Cyber Division recently warned about BEC and urged organisations to review their forwarding rules and offered these 14 recommendations:
1. Ensure desktop and web email clients run the same version
Keeping desktop and web email clients up to date avoids problems with syncing and updates. A lack of synchronisation between the desktop and the web might allow an attacker to place rules that are not exposed in the desktop clients. Thus, the manner of attack is not noticeable.
2. Be wary of last-minute email account address changes
In my case of the hacked email account, the person I had previously corresponded with and was now being used in a phishing attack had recently updated their firm’s domain name and email platform. The migration process made the mail server open to attacks. If suddenly you receive an email from a vendor regarding a financial matter and the email address has changed, call them and request verification of the email address.
3. Check email addresses for slight changes
Small changes can make fraudulent email addresses appear legitimate by resembling actual clients’ names. The letter “l” is one of the worst characters to use in an email address. Is that a lowercase “l” or the number “1”? Depending on the font used, they could be indistinguishable. I used Courier New for both the “l” and the “1” and it is extremely difficult to tell the difference between them. Attackers often use this font trick.
4. Enable multi-factor authentication for all email accounts
I cannot stress this enough: Multi-factor authentication (MFA) ensures that attackers must have something else—phone, key, device, fob, authentication app—in their possession to access your email.
5. Prohibit automatic forwarding of email to external addresses
In many email compromises, forwarding rules may be only seen in web applications and not in the desktop email clients. Email forwarding is so pervasive that Microsoft has even blocked outbound mail forwarding automatically in Microsoft 365. If you had previously set up automatic forwarding rules, review their setup again to ensure that they are functioning as you expect.
6. Monitor the Email Exchange server for changes
Make frequent checks for changes to configuration and custom rules for specific accounts. Create rules that alert you when there are changes to ensure that your system is well protected. Change management in any sized organisation should be a well-defined process and not happen willy nilly. It’s wise to perform the change management process on a scheduled basis with documented processes.
7. Flag differences in “reply” and “from” email addresses
Create a rule to flag email communications where the “reply” email address differs from the “from” email address. Set up another flag for when the external message comes from your domain name, indicating that an attacker is trying to trick users into thinking the email is from inside the domain. You can also set up DKIM to reject mail that doesn't match the domain of the originating mail server.
8. Add a banner to messages coming from outside your organisation
Warning users about a message’s origin is a normal configuration that many firms use. Even with the warning many users still click on links. Consider end-user education about how the emails will look and what to expect.
9. Review use of legacy email protocols
Consider the necessity of legacy email protocols, such as POP, IMAP and SMTP, that attackers can use to circumvent MFA. Old protocols can be easily attacked and hacked. Too many of us reuse credentials on various platforms. So, it’s easy for an attacker to use a database of stolen credentials and attempt to log onto systems with these reused credentials.
10. Log and retain changes to mailbox login and settings for at least 90 days
Logging is often overlooked as a security tool. By the time you realise something has happened, it is too late to configure auditing and logging. Evaluate your options to pull off the logs from your mail servers and ensure you store them elsewhere. You can use services such as Splunk to forward and store log files.
11. Enable security features that block malicious email
Are you using features you already have to block phishing and email spoofing? Too often we purchase additional security products for mail servers and do not completely set them up. For Office 365 I recommend following the best practices guide from ITpromentor site.
12. Encourage employees to challenge suspicious payment requests
Employees should request clarification of suspicious payment requests from management prior to authorising transactions. We’ve been trained to cooperate and to help as much as we can, but that trait can make us open to phishing and tricking. Back up electronic processes with old-fashioned confirmation such as picking up the phone and calling to confirm the amount and the transfer processes.
13. Set up alerts for suspicious behavior in email
If you use Office 365 or Microsoft 365, you can set up alerts for suspicious behaviour in email. Review if you need to change licences to have these alerts, but it may be worth it for some organisations.
14. Report fraud to authorities
Immediately report any online fraud or BEC activity to the Internet Crime Complaint Center. Ensure that authorities know the activities are going on. Even if your specific case can’t be remedied, authorities can often look at patterns and gain more insight from multiple reports. No BEC case is too small to be overlooked.