Business email compromise (BEC) scams have been affecting organisations across multiple sectors in the Southeast Asian region. In Singapore alone, in 2018, the Singapore Police Force (SPF) has seen more than 200 reports of business email impersonation scams, amounting to SGD30 million in losses – an increase of 9.7 percent from the same period in 2017.
Scammers were actually believed to have hacked into email accounts to monitor email correspondence between victims or suppliers, particularly around ongoing negotiations and emails on sales and purchase transactions.
Given the progressive increase in cybercriminals’ sophistication levels and aggressive stance in exploiting email security, enhancing cybersecurity guardrails have become necessary for organisations across critical sectors, including banking and finance, healthcare and government agencies.
To help understand the threat posed by BEC and ways to circumvent this growing threat, CSA reached out to Dylan Castagne, Managing Director of Retarus Asia, for an interview.
According to Dylan, BEC attacks, which use sophisticated social engineering tactics to deceive employees into handing in information requested by hackers, are on a sharp rise because of their “ease of execution and ability to evade cyber defence tools”.
He explained, “A common form of BEC attack is the CEO (or CxO) fraud where cybercriminals disguise themselves as company heads and use bogus emails requesting the urgent and immediate transfer of large sums of money to complete confidential transactions such as mergers and acquisitions.”
By making it seem as if the email comes from a known source, victims are inclined to act quickly—in the face of ostensible deadlines or imminent legal claims stated in the email. Dylan added that by combining social engineering techniques, employees’ trust in the contact person being impersonated, and the element of urgency, “cybercriminals are increasingly able to manipulate employees, who are predisposed to comply with orders from their superiors or a trusted party—even without the use of high technology.”
BEC vs Phishing
Phishing is a similar type of social engineering security attack that’s causing havoc for businesses. The difference, according to Dylan, is that unlike traditional phishing attacks, BEC attacks are more sophisticated and carefully researched. “They appear to be more credible—as cybercriminals tailor the message to the victim they intend to target,” he said.
In the case of BEC attacks, cybercriminals may scour public sources such as company websites, press releases and commercial registers to obtain information such as the CEO’s name and email address, as well as employees with the authority to execute payments, to make their emails sound convincing. They also check out the social media sites of employees being targeted, to have a clearer understanding of the intended victims’ personality and behaviour.
Dylan added that cybercriminals tend to target staff who have access to sensitive company information and who are authorised to carry out transactions on behalf of the business.
“The employees concerned, whose positions range from the CEO’s executive assistant to HR or finance and controlling staff, then receive emails with their CEO as the purported sender,” he further explained, before adding that cybercriminals would also adjust the requested amount and the reason for the payment accordingly, based on enterprise size estimates.
While both BEC and phishing emails generally present an urgent call to action, Dylan said it is easier to see through a phishing attack, as compared to a BEC attack. He continued, “As opposed to phishing emails, BEC attacks may seem legitimate to the victim due to the convincing tone of the email, a more personalised message, font consistency, email signature, and even an email address that appears to be authentic to the victim. As a result, it is highly probable that employees in question will not think of verifying the identity of the email sender, increasing chances of them falling into the trap.”
Ways to Mitigate BEC and Other Email-Borne Threats
Dylan commented that cybercriminals are keen on exploiting vulnerabilities in organisations’ email protection systems, preying on inadequate email authentication services and a lack of email security protocols in place.
Unfortunately, many businesses still need to bolster email security awareness and education among their employees. Not everyone is vigilant in double-checking sender information, and many remain unaware of existing and new email threats.
With today’s cybercriminals leveraging stealthier techniques and innovative solutions that provide enhanced anonymity and scalability, never has it been more pressing for organisations to employ advanced email security services for better detection and protection.
Unfortunately, he said employee error continues to be a gateway for cybercriminals to carry out malicious cyberattacks. According to a study, 91% of email-related data breaches result from poor staff practices, which include sending unencrypted confidential documents by email.
“While companies of all sizes are vulnerable to social engineering attacks and CEO fraud, startups and smaller enterprises without clear processes make ideal targets as they are more prone to employee error. Hence, the importance of having proper security systems in place cannot be overemphasised,” said Dylan. One way to better safeguard against social engineering attacks is by investing in email security services offering both sophisticated email header analysis and specialised algorithms for detecting email spoofing.
Nevertheless, as always, even the best IT security solutions are no replacement for training staff and raising their awareness, as the “human security factor” remains a risk in social engineering attacks and CEO fraud.
Dylan recommended the following steps to improve employee awareness. “Companies should take care to sensitise their employees about cyberthreats and cybersecurity measures on a regular basis and have transparent, easy-to-follow guidelines such as setting basic bank transfer limits or clearly defining controlling and authorisation processes to reduce the threat of CEO fraud scams.”
Using Technology to Prevent Attacks
While traditional security solutions may not be able to detect social engineering-type threats or fraud, technology advancements such as AI are opening new avenues for this kind of threat circumvention. According to Dylan, adopting high technical standards which allow organisations to check sender authenticity helps safeguard against BEC attacks.
He elaborated, “Some well-known options in the market include Sender Policy Framework (SPF), which helps detect forged sender addresses during email delivery, and Domain Keys Identified Mail (DKIM), which ascertains if an email purporting to come from a specific domain is authentic by verifying DKIM signatures against the sender’s DNS records.
“Employing email security services offers an additional layer of protection against deceptive email scams,” he said. These days, modern email security solutions allow the automatic marking of emails upon the discovery of technical irregularities in sender information contained in the email header.
“By leveraging solutions offering sophisticated email header analysis and specialised algorithms that can detect email spoofing, companies are able to identify and prevent sophisticated BEC attacks from fooling victims with customised messages that are extremely difficult to distinguish from legitimate emails,” Dylan added.
At any rate, staying safe from such attacks requires a combination of both technical measures (such as firewalls, endpoint and email protection) with ongoing training to keep users abreast of the latest security threats, policies and techniques in order to protect the organisation’s digital assets. Without adequate user awareness, cybercriminals could easily bypass many of the security measures organisations may put in place through social engineering attacks such as BEC.