Best Practice Cybersecurity to Prevent Business Email Compromise

October 09, 2020 – Microsoft’s latest Digital Defense Report found business email compromise attacks are rapidly evolving, with ransomware and credential harvesting becoming a lead goal of these attacks. These highly targeted attacks are highly effective, driving the need for best practice cybersecurity to prevent falling victim. 

Previous research from Barracuda Networks showed BEC attacks make up just 7 percent of spear-phishing campaigns but are three times more effective than traditional phishing models: three out of 10 users are successfully tricked into clicking a BEC email attempt. 

Hackers impersonate a victim’s trusted email recipient, such as a vendor, an employee within their organization, a business partner, or other known relationship, typically making a request for a wire transfer or another form of personally identifiable information, as well as those with access to sensitive data. 

“These highly-targeted attacks, which are particularly difficult to detect because they rarely include a URL or malicious attachment,” researchers explained. “Sending a small number of emails, as opposed to spamming a large number of potential victims, also means that hackers are able to monitor responses from their victims.” 

“Hackers want a response from their victim before making a request for a wire transfer or personal information,” they added. “Along those lines, an overwhelming majority of business email compromise attacks initially include a very simple message, such as ‘Do you have a minute?’ or ‘I need your help.’” 

READ MORE: Report: Phishing Campaign Uses Hidden Text to Bypass Email Security

While the attack method is used less than traditional phishing, given the amount of work it takes to tailor emails to a specific target, the FBI estimates these attacks cost more than $26 billion in losses in the last four years. In 2019, the FBI reported that BEC attacks caused those most cybercrime losses across all sectors. 

Microsoft reported BEC attacks and phishing have an increasing number of more sophisticated kill chains. As healthcare was the sixth-most target for BEC attacks, it’s imperative for entities to ensure they’ve implemented the right tools to defend against these highly tailored attacks. 

The use of multi-factor authentication blocks 99.9 percent of automated attacks. And Microsoft recently stressed that strong authentication, like MFA, or password-less authentication, can reduce the risk of data breaches and the vast majority of identity attacks. 

In fact, nearly every Department of Homeland Security threat alert lists MFA as the leading recommendation to defend against attacks. NIST calls MFA a basic security enhancement tool that allows the user to present two pieces of evidence (credentials) when logging into an account. 

It allows the organization to ensure it’s the user, and not a cybercriminal, attempting to login at an endpoint. There are multiple acceptable credentials a user can provide to verify their identity, from PINs to physical identifiers.  

READ MORE: Emotet Malware Threat Actors Return with Massive Email Campaign

“Most MFA approaches will remember a device. So if you come back using the same phone or computer, the site remembers your device as the second factor,” according to NIST. “Between device recognition and analytics the bank is likely performing—such as whether you’re logging in 20 minutes later from halfway around the world—most of the time the only ones that have to do any extra work are those trying to break into your account.” 

Erin Benson, Director of Market Planning for LexisNexis Risk Solutions previously explained to HealthITSecurity.com that it is important to work with your current vendors or a consultant to determine the right form of MFA and applicable endpoints. 

Healthcare entities can also look to the Vanderbilt University Medical Center’s 2018 MFA deployment to better understand how to best implement the tool. 

The crux of business email compromise attempts is to trick the user into thinking they are speaking with a known contact. But as noted by researchers, certain roles will often require the user to open PDFs, such as human resources or accounts. 

As such, organizations need to have processes in place that will allow the user to quickly verify the legitimacy of the email or request, while training users on how to identify a spear-phishing emails. As noted by Europol, organizations should assign a dedicated leader able to verify the authenticity of emails and to act as a point person to deal with common threats. 

Europol stressed that training is crucial for a strong and resilient workforce, while studies have shown employee security training successfully reduces the risk to the enterprise. Education should include phishing simulations, in-person workshops, and e-learning activities. 

Users should also be taught the importance of verifying the sender’s email address to ensure it matches who the sender says they are, especially on mobile or other hamicndheld devices. Administrators should also encourage employees to discuss phishing emails they receive with other workforce members. 

“The better users become at detecting spear phishing, the less likely the organization is to be compromised by an attacker,” Europol officials explained. “Board management influence is key in the creation and diffusion of prevention campaigns in order to make these initiatives more relevant to employees and consider them as a priority.”  

“At the same time, more senior level staff often lack basic awareness of the dangers of spear phishing and, thus, are often themselves one of the primary targets,” they added. “An intuitive user experience, which makes it easy to flag suspicious emails and which warns the user of potentially malicious content, could significantly help users stay alert and make the right decisions when encountered with a phishing campaign.” 

As with any enterprise tool, it’s crucial to ensure email security platforms are kept up to date with applicable patches, as well as hardware and software updates. Organizations should also consider security tools designed to secure email platforms, such as machine learning or spam blockers, while having the latest antivirus software installed. 

Strong, unique passwords should be required for all systems, especially email, including the use of MFA where applicable. However, a recently observed attack method bypasses MFA, with hackers immediately switching to a legacy application when MFA blocks their access attempts. 

“Legacy email protocols, including IMAP, SMTP, MAPI and POP, do not support MFA, making it possible for attackers to easily bypass MFA using these legacy applications,” Abnormal Security explained, at the time. “This means that it is not possible to enforce MFA when a user signs into their account using one of these applications.” 

To bolster defense for these attacks, researchers recommended barring access from legacy applications that are often targeted in password-spraying campaigns. Admins should deploy tools able to consistently scrutinize for suspicious content, such as dubious sender emails, domain names, formatting, urgent requests, and even writing style – commonly exploited by BEC attacks.