Business Email Compromise (BEC) attacks are particularly threatening because they are close to impossible to trace and they leave you with irreplaceable financial and reputational loss and downtime. This attack is becoming more common because instead of having to develop malware or complex attack chains, the only thing needed for execution is to send an email. For this reason, BEC attacks are simple but leave a strong sting.

For a more detailed post on what BEC is, check out this post

One of the most common questions we receive around business email compromise is, “how will we know if we are compromised and what do we do?” In our experience, the top three most common indicators of business email compromise are:

  1. People are receiving emails you did not send
  2. A back-and-forth conversation you were having suddenly ends
  3. Your account is logged in from another country

Taking a deeper dive into these three indicators, we will cover what can occur, how it can be detected and how to prevent.

Mysterious Emails

Often, a c-level executive and/or the person who handles the money is the target of business email compromise. Let’s say the CEO and the rest of a company are still working remotely. The CEO sends an email asking to transfer funds to a new business partner. The request isn’t out of the ordinary and the recipient of the request is savvy enough to check that it’s coming from the CEO’s real email address with the correct signature block and writing style. From the outside, it appears to be legitimate. From the inside, the CEO’s email account is hijacked.

The best way to detect and prevent this indicator of compromise is to implement multi step procedures for confirming monetary requests. For example, the recipient of this email should not only check the email address, email signature, and writing style but should also verbally confirm with the CEO before initiating the requested transaction. Advanced cyber awareness training is one of the best defenses for preventing further damage from BEC. While cyber awareness training would not have prevented the CEO’s account from being taken over, it will prevent monetary loss from an illegitimate transaction request.

The Cold Shoulder

In another common scenario, let’s say the compromised CEO was having a back-and-forth conversation with a new business partner and the conversation suddenly ends. The CEO was receiving regular responses but then a week later, she notices she has not heard back from her last correspondence. The CEO sends another email to her business partner and the business partner confirms that she did respond and completed the money transaction that they previously spoke about last week. In this situation, the hacker inserted themselves in the middle of the conversation and created an inbox forwarding rule behind the scenes to block out the CEO.

Unfortunately, most times this type of threat is usually detected after it is too late. The only way to detect and prevent this type of threat is to implement an email monitoring and threat detection tool. The tool can detect when a new email forwarding rule is created and alert. The owner of the inbox can confirm or deny whether they were the person to create the rule or if it is a sign of compromise. Then, appropriate actions can be taken to “kick out” the hacker before further damage is caused.

Suspicious Login

This last indicator is not one that can be detected to the normal eye. A threat detection tool can monitor mailboxes and alert when a new login is created from a different country. Sometimes, this is a legitimate login, and the person is simply traveling. It becomes suspicious when the inbox owner is logged in from CT (for example) and then 10 minutes later is logged in from India. Unless this person can time travel, there is no way that they are in both countries at the same time.

One of the best ways to prevent this type of compromise is to implement multifactor authentication (MFA) for logins on M365. With MFA upon login, the user will have to confirm their identity by entering a code sent to their phone, second email account, or third party app such as Microsoft Authenticator.

For a deeper dive into business email compromise, we encourage you to join us May the Fourth (be with you) for an interactive panel discussion. You can ask your questions and find out what it’s like to be the victim of a BEC attack.