If you get an email from your CFO requesting urgent action, what do you do?
That’s what Business Email Compromise attacks try to do. An executive–often a CFO or CEO–will have an urgent favor. Payment has to be made today; gift cards have to be purchased and sent now. It uses social engineering to really get lower-level employees to take an action they don’t want to do.
We see these all the time and they are difficult to stop because there is often no malware or malicious links. The body of the text may not be terribly different from what is typically sent.
These attacks are so convincing, in fact, that the FBI has charted $43 billion in losses from these scams since 2016.
In this attack, the CFO of a major sports corporation is asking someone in finance to send money via ACH transfer.
In this attack brief, researchers at Avanan, a Check Point Company, will discuss how threat actors are spoofing CFOs in order to get underlings to send money back to hackers.
In this attack, hackers are spoofing a CFO to get a lower-level employee to send funds.
- Vector: Email
- Type: Business Email Compromise
- Techniques: Social Engineering, Domain Spoof
- Target: Any end-user
Email Example #1
The user is presented with an email from the CFO of this major corporation. The CFO asks the recipient of the email to make payment to this insurance company. West Bend Mutual is a legitimate company; even more clever is the fact that the URL in the from address takes from their slogan. However, this is clearly a fake, as the “reply-to” address at the top of the email differs from the company’s email address. You’ll notice the banner that shows the email wasn’t from the displayed sender. This was added by the tenant’s generic Office 365, not Proofpoint. It is the only thing that alerted the end-user that something was amiss.
Email Example #2
This is a nearly identical email that affected another company. In fact, we’ve seen dozens of this type of attack. Notice two differences: There is no external banner alerting the end-user to potential danger; the “Get in touch” email at the bottom spells Silver Lining as Silver Linning.
Business Email Compromise attacks are staggeringly successful because they work. They play on people’s desires to perform well for their boss.
They are also successful because they are hard to stop. Secure Email Gateways do not have the contextual information they need to stop these attacks. These gateways are designed only to monitor inbound email—therefore they have no way of scanning internal email or understanding the context or conversational relationships within an organization. When an external gateway sees an email from the 'CEO' to the 'CFO', it will be the very first time it has seen such a conversation. While an internal solution will have seen thousands of similar real, internal conversations to compare it to, an external gateway can only guess at the context.
In this attack, a banner inserted by default security was key. However, banners are not the be-all, end-all; research has found that too many banners can lead to end-users ignoring them.
We’re seeing a dramatic uptick in these types of attacks. The FBI has reported a 62% increase in losses between July 2019 and December 2021; this amount of money has been pilfered from about a quarter million reported incidents. In 2021, $40 million nof the losses came were related to cryptocurrency; in 2020, that number was closer to $10 million.
A variation on this attack happened recently at Cisco, where a hacker was able to steal an employee’s password, then pretended to be a trusted organization during phone calls and emails. This is an escalation of the traditional BEC attack, but it’s all part of the same family. The idea is to use trusted names and partners to get lower-level employees to hand over money or credentials. Without using malware, attachments or malicious links, these hacks represent the apex of social engineering.
This type of attack has been seen at a variety of companies, in a variety of industries. Any CFO is a potential target.
The best thing, then, is to proactively block these attacks, so end-users don’t have to decide whether it is legitimate or not.
Best Practices: Guidance and Recommendations
To guard against these attacks, security professionals can do the following:
- Always check reply-to addresses to make sure they match
- If ever unsure about an email, ask the original sender
- Encourage users to ask finance before acting on invoices
- Read the entire email; look for any inconsistencies, misspellings or discrepancies
- If using banners, be sure to not bombard end-users with them; only use them at critical times so that end-users take them seriously
- Deploy multi-factor authentication for all accounts, but especially email
- Configure accounts to notify you of changes
- Use a password manager to create and store your passwords–you should never actually know your own password
- Remind users to only share personal information in real-time, either in person or by phone. Encourage them to be skeptical of all messages with links, and to always verify with the sender, in real time, any messages with attached files