Over the past decade, organizations have increasingly shed their on-site email systems in favor of cloud-hosted services. This has brought a myriad of benefits, particularly improved access to information and communication tools as well as cost savings. Unfortunately, this transformation has also increased the risk of business email compromise (BEC) events.
According to a Cyber Claims Study we conducted here at NetDilgience, business email compromise is a close runner up to ransomware for causes of cyber loss, and disproportionately affects small and medium-sized enterprises (SMEs).
Once a business email is compromised, cyber criminals can wreak havoc on a company by posing as an insider and misdirecting funds.
So what exactly is business email compromise, what’s at risk, and how can you guard against such an event? In the rest of this article, we seek to answer these questions.
Business Email Compromise: An Overview
Business email compromise occurs when a bad actor gains access to and control of a legitimate business email account—known as account takeover (ATO).
There are a number of ways hackers can gain access to email accounts including stolen credentials, brute force attacks, phishing attacks, and other forms of social engineering. In one of the most common scenarios, a cyber criminal will use a phishing kit that impersonates a popular cloud-based email service allowing them to capture an unsuspecting victim’s log-in credentials.
Once an attacker has gained access to an email account, they will conduct reconnaissance and search through emails to learn the communication style of the victim and uncover clues to further dupe members of the organization. This will likely include identifying high value or important contacts, searching for financial transactions, and personal info to crack passwords on additional accounts.
Attackers may also capture and then delete key information or messages, or activate automatic forwarding to an outside email account so they can continue to view all communications even after they have logged out.
By impersonating the victim and using their account, the attacker has a foothold to attack further organizational accounts and instigate the fraudulent transfer of funds. For example, a cyber criminal could impersonate a CEO or manager to send a false invoice to a staffer and urge them to pay it. In this manner, the attacker directs funds away from the organization into their own account while evading detection.
One account takeover can result in a domino effect, with a criminal compromising multiple accounts across the organization and third parties.
What’s at Risk?
According to the FBI’s Internet Crime Complaint Center (IC3), during the last five years, BEC events have resulted in more than $2.1B in losses from two popular cloud-based email services. Although the report doesn’t mention it by name, those two cloud-based services were likely Google’s G-Suite and Microsoft Office 365—both of which have massive footprints across the business world and make fertile hunting grounds for cyber criminals.
To demonstrate the prevalence of email ATOs, Barracuda, a network security solutions provider, took a survey of their users. They discovered that by March 2019, 29% of organizations had their Office 365 accounts compromised and 1.5 million malicious and spam emails were sent from compromised accounts in a single month.
In 2019, BEC attacks accounted for well over half of the reported $3.5B in cyber-related losses. While it’s true these attacks affect companies of all sizes and verticals, our NetDiligence Cyber Claims Study suggests small and medium-sized enterprises are disproportionately targeted. According to our business email compromise statistics for 2019, the average monetary loss for SMEs was $157K, with reported losses as high as $3.4M.
Larger companies can have much higher financial repercussions. In August of 2019, a Toyota subsidiary company suffered $37M in losses after a successful business email compromise attack. To date, Toyota has not been able to recover any of the funds.
How Do You Prevent a BEC Event?
With determined and skilled cyber criminals, it is difficult or impossible to close all cyber vulnerabilities—but there are privacy and security measures you can take to manage the risk of a successful BEC attack. By taking the following measures, you can drastically improve email account security at your organization:
- Disable auto-forward to prevent criminals from sending or receiving communications undetected.
- Turn-on native security features that block malicious mail, phishing, and spoofing.
- Enable alerts for suspicious logins such as those from a foreign country.
- Verify all requests for payment changes and transactions.
- Require end-users to use multi-factor authentication and update passwords at a regular interval.
- Disable legacy account authentication.
- Provide employees with business email compromise training including how to identify phishing emails and suspicious links.
If you think you may have been victim to a business email compromise event, you’ll need a response plan. First steps to take include alerting your financial institution of possible fraudulent transactions, contacting IC3 or your local FBI field office, and reaching out to your breach coach or legal counsel. It’s also important to have business email compromise insurance or a cyber policy that covers account takeover events in case an attack does occur. This will help to take the weight off of what could otherwise be a crushing cost burden.
Improve Your Cyber Readiness with NetDiligence
NetDiligence has over 20 years of experience in cybersecurity, and we’ve helped thousands of corporate and non-profit customers bolster their cyber-readiness. We help clients identify their data and security vulnerabilities and design an actionable plan to improve data security and privacy needs.
The NetDiligence network is composed of cyber legal experts, forensics teams, and insurance-insiders. We aim to harness the collective expertise of this cybersecurity community and help our customers act on it with the proper tools and information.
If you want to improve your cybersecurity posture and equip your team to defend and recover from any business email compromise event, check out the NetDiligence eRiskHub®— a purpose-built resource center for cyber-readiness.