Email Scammers are Evolving: Here’s How to Protect Yourself
Table Of Contents:
Cybercriminals are rattling corporate door knobs on a constant basis, but few attacks are as devious and brazen as business email compromise (BEC). This social engineering attack uses email as a path into an organisation, enabling attackers to dupe victims out of company funds.
BEC attacks frequently use email addresses that look like they come from a victim’s own company or a trusted partner like a supplier. These domains are often misspelled, or use different character sets to produce domains that look like a trusted source but are malicious.
Eagle-eyed employees can spot these malicious addresses, and email systems can handle them using email protection tools like the Domain-based Message Authentication, Reporting, and Conformance (DMARC) email authentication protocol. But what if an attacker is able to use a domain that everyone trusts?
When Trusted Sources Can’t Be Trusted
Cybersecurity company Guardz recently discovered attackers doing just that. On March 13, it published an analysis of an attack that used Microsoft’s cloud resources to make a BEC attack more convincing.
Attackers used the company’s own domains, capitalising on tenant misconfigurations to wrest control from legitimate users. Attackers gain control of multiple M365 organisational tenants, either by taking some over or registering their own. The attackers create administrative accounts on these tenants and create their mail forwarding rules.
They then abuse a Microsoft feature that displays an organisation’s name, using it to insert a fraudulent transaction confirmation, along with a phone number to call for a refund request. This phishing text gets through the system because traditional email security tools don’t scan the organisation name for threats. The email gets to the victim’s inbox because Microsoft’s domain has a good reputation.
When the victim calls the number, the attacker impersonates a customer service agent and persuades them to install malware or hand over personal information such as their login credentials.
A Rising Tide Of BEC Attacks
This attack highlights the ongoing spectre of BEC attacks, which have escalated over time. The most recent (2024) data from the FBI reported $55.5bn in global BEC losses between 2013 and 2023 – up from almost $51bn reported the prior year.
Neither is this the first time that BEC and phishing attacks have targeted Microsoft 365 users. In 2023, researchers noted the rapid rise in W3LL, a phishing kit that specifically compromised Microsoft 365 accounts by bypassing multi-factor authentication.
What You Can Do
The best approach to mitigating BEC attacks is, as with most other cybersecurity protections, multi-layered. Criminals might break through one layer of protection but are less likely to overcome multiple hurdles. Security and control frameworks, such as ISO 27001 and NIST’s Cybersecurity Framework, are good sources of measures to help dodge the scammers. These help to identify vulnerabilities, improve email security protocols, and reduce exposure to credential-based attacks.
Technological controls are often a useful weapon against BEC scammers. Using email security controls such as DMARC is safer than not, but as Guardz points out, they won’t be effective against attacks using trusted domains.
The same goes for content filtering using one of the many available email security tools. While it wouldn’t have caught the sneaky threat embedding technique used in the attack reported this March, it’s nevertheless a useful measure in general. Advanced content analysis that looks at organisational fields and metadata is optimal.
Similarly, conditional access policies are a valuable way to stop some BEC attacks, including the use of multi-factor authentication (MFA). However, this protection, which uses a second out-of-band authentication mechanism to confirm the user’s identity, isn’t foolproof. Reverse proxy attacks, in which the attacker uses an intermediate server to harvest a victim’s MFA credential, are well known. One such attack occurred in 2022, targeting 10,000 organisations using M365. So, use MFA, but don’t rely on it alone.
Get Employees On Board
Many attacks are thwarted not by technical controls but by a vigilant employee who demands verification of an unusual request. Spreading protections across different aspects of your organisation is a good way to minimise risk through diverse protective measures. That makes people and organisational controls key when fighting scammers. Conduct regular training to recognise BEC attempts and verify unusual requests.
From an organisational perspective, companies can implement policies that force more secure processes when carrying out the kinds of high-risk instructions – like large cash transfers – that BEC scammers often target. Separation of duties – a specific control within ISO 27001 – is an excellent way to reduce risk by ensuring that it takes multiple people to execute a high-risk process.
Speed is essential when responding to an attack that does make it through these various controls. That’s why it’s also a good idea to plan your incident response before a BEC attack occurs. Create playbooks for suspected BEC incidents, including coordination with financial institutions and law enforcement, that clearly outline who is responsible for which part of the response and how they interact.
Continuous security monitoring – a fundamental tenet of ISO 27001 – is also crucial for email security. Roles change. People leave. Keeping a vigilant eye on privileges and watching for new vulnerabilities is critical to keep dangers at bay.
BEC scammers are investing in evolving their techniques because they’re profitable. All it takes is one big scam to justify the work they put into targeting key executives with financial requests. It’s the perfect example of the defender’s dilemma, in which an attacker only has to succeed once, while a defender must succeed every time. Those aren’t the odds we’d like, but putting effective controls in place helps to balance them more equitably.
