How To Protect Yourself from Costly Business Email Scams

shutterstock_1144636091

How To Protect Yourself from Costly Business Email Scams

Business email compromise scams are nothing new, but there has been a recent surge of scams. I am aware of more than one local company that has been hurt by them.  The recent and common way a threat actor perpetrates this scam is something like this:

STEP 1: The scammer gains access to a valid email account on your domain by using a spear phishing email and tricking a user into logging into something that looks legitimate and giving up their credentials.  Often, this skimming-type website will get your MS 365 credentials and then send you to the real site, so nothing appears unusual.

You might think, “I have MFA, so there is no way this could happen.  “Unfortunately, a skilled hacker can use tactics like session hijacking (or token theft), MFA fatigue, and general social engineering to gain MFA codes. These methods have become quite common, making MFA still important but not as successful as it once was.

STEP 2: The threat actor now has access to a user’s email account and maybe more, depending on what those email credentials provide access to.  Even if it is only email, it allows them to analyze your business transactions, style, and what is happening in your email chain. The hacker may delay for weeks or months, waiting for the right opportunity to continue the scam. The person’s email they have access to is responsible for financial transactions; they use that to take the next steps.

STEP 3: Suppose, in this case, the threat actor has learned that they have access to someone’s account responsible for invoicing and payment.  In this case, maybe they have detected that the user is sending or receiving ACH payments.  They will look to identify a vendor that is requesting payment and has sent an invoice. Ideally, they will find some urgent payment requests and where the invoice is for a significant amount. The hacker will then immediately prepare to take advantage of what they have learned. They often buy a domain name that is very close to the vendor’s name.

STEP 4: The hacker is ready to act.  They quickly insert themselves into the conversation.  They send an email, masquerading as the vendor, with a modified bank account number for this transaction and urge that payment be sent immediately.  They may even use the phished account to communicate with the real vendor to delay the legitimate requests for payment while they perpetrate the request from the “almost real” email account. The hacker (often a well-organized group of people) is very clever and sophisticated.  All of the emails have the correct header, footer, and language. They have been shadowing the account for weeks or months for a reason, and they even match the tone when they send emails.

STEP 5: Money is transferred, presumably to pay a legitimate invoice. The money goes to the wrong account. It is immediately transferred multiple times and usually ends up somewhere untraceable and unrecoverable. If the compromise worked and the hacker went undetected for at least a period of time, they usually try again, hoping they can get another money transfer before they are found out.

You might read through these steps and think this sounds like nothing new, and you would be right. What is new is that it is being perpetuated even with MFA on the account. In addition, the hackers are more sophisticated, they wait longer, the research is better, and the whole thing looks very real.

The obvious question is, “How do we stop this?” I’m glad you asked!

Here are Four Essentials to stop scams: 

  • Procedure & Policy – There are many policies regarding financial transactions. Requiring a phone call to confirm a bank account or routing number change will seriously hamper this scam.
  • Security Awareness Training – Everyone should have their teams on a regular security awareness training plan. This training should run at least quarterly and be followed up with a phishing test campaign.
  • Cloud Security Software – This newer cloud security tool monitors MS 365 cloud accounts for signs of compromise and shuts them off for investigation whenever something malicious appears.
  • Better Endpoint Security Software– If a hacker gets in through someone’s email or by visiting a site with malware, the malicious code often tries to attach to someone’s machine. The new strains of managed endpoint detection recognize these malicious activities better. We recommend tools like Huntress and Speartip to upgrade your security and keep you safe.

It is important to remember that nothing can make you impervious to hacking attempts, but there are MANY things you can do to reduce your risk. These are some great steps to take to improve your position against these types of attacks.

If you are unsure if you have these items in place or think that you may need a review of your cybersecurity, please reach out.  We are always glad to discuss cybersecurity plans and make sure you are in the best possible position to avoid a threat!