Call us today on: +44 (0)203 88 020 88
SecureTeamSecureTeamSecureTeamSecureTeam
  • Home
  • Our Services
    • Infrastructure Testing
      • Internal Network Penetration Test
      • External Network Penetration Test
      • Wireless Network Penetration Test
      • Vulnerability Assessment
      • Network Segregation Test
      • Voice over IP (VoIP) Penetration Test
    • Application Testing
      • Web Application Penetration Test
      • Mobile Application Penetration Test
      • Desktop Application Security Assessment
      • Citrix Breakout Test
    • Configuration Review
      • Windows Server Build Review
      • Linux Server Build Review
      • Citrix Configuration Review
    • Information Assurance
      • ISO 27001 Gap Analysis
    • Cyber Essentials
  • News
  • Articles
  • About
    • About SecureTeam
    • STORM Appliances
      • Installing a STORM Device
      • Returning a STORM Device
    • White-Label Consultancy
    • Jobs
    • Cookie Policy
    • Quality Policy
    • Security Policy
    • Privacy Notice
    • Website Terms & Conditions
  • Contact Us
Home  >  Articles  >  Social Engineering  >  The rise and rise of BEC fraud
NextPrevious

The rise and rise of BEC fraud

Articles, Social Engineering | 2 September, 2021 | 0

Business Email Compromise, and its evil brother CEO Fraud, are both email based fraud attacks that seek to trick the victim into paying a fake invoice or transferring or diverting funds through some other kind of deception.  Read on to learn how to protect your business from BEC Fraud.

What is BEC fraud?

Business Email Compromise fraud is on the rise – according to the FBI it cost business more than Ransomware in 2020.  What is it, and how can you protect your business?

 An example of CEO Fraud: criminals send an email message that pretends to be from an authorised person (such as the CEO or the accounts department) asking for an enclosed invoice to be paid and usually providing some story as to why it needs to be paid immediately and why the sender is not able to speak on the phone to validate the instruction.  The email is sent from an external email account controlled by the criminals which either has been set up in the name of the CEO (using gmail or similar) or uses a close misspelling of the business name in an attempt to trick the recipient.

Increasingly threat actors are using phishing techniques to obtain credentials to email accounts, especially Microsoft Office 365, so they can send further email from valid email accounts and clean up any record of the fraudulent communications.

A Business Email Compromise fraud could look something like this: criminals use a phishing email to steal the Office 365 credentials for a member of your accounts department. They then use this email account to either send a fake invoice to a customer with their own bank details enclosed or they contact a supplier who owes you money and informs them that you have changed banks and all outstanding invoices should be paid to the new bank account (controlled by the criminals).

According to the 2020 Internet Crime Report from the FBI, Business Email Compromise cost businesses more than Ransomware in 2020 and the UK is the by far the worst affected country after the USA.

There are two kinds of defence against BEC attacks – technical changes to protect your emails and training to help your staff spot fraudulent emails when they arrive in their inbox.

 

Technical Defences

By configuring your email server and DNS records, you can help identify fraudulent emails on the way into your business and help your clients and suppliers spot fraudulent emails that claim to be from your organisation but have really been sent by criminals.

 

SPF – Sender Policy Framework

SPF is the Sender Policy Framework and it helps prevent criminals sending emails that have been spoofed to appear to have come from your domain.  The SPF configuration shows which servers are allowed to send emails on behalf of your domain and this is validated by the recipient’s email server.  If the SPF details do not match, the email message is more likely to be marked as spam by the receiving mail server.

SPF is configured through a DNS TXT record.

Details of how to configure SPF for Microsoft 365 can be found here.

 

DKIM – DomainKeys Identified Mail

DKIM provides a means to verify the domain name that sent an email and helps show that the message was not tampered with during transit across the internet.  DKIM uses public key encryption to digitally sign the email message when it is sent by the email server.

The sending server generates a hash value based on the content of the email message and then uses a private key associated with the domain to encrypt the hash and add it to the email header. The recipient email server looks up the public key in the sender’s DNS record and uses that to validate the signed hash in the email header.

If the email content was changed during transit or if the email was not truly sent from your email server, then the recipient email server will not be able to validate the DKIM hash and should mark the email as spam.

DKIM is not enabled automatically on custom domains for Office 365, instructions for enabling it can be found here.

Instructions for configuring DKIM for Exim mail server for Linux can be found here.

 

DMARC

DMARC is designed to protect against direct email domain spoofing. It defines how a recipient server is supposed to handle an email which fails SPF or DKIM validation.  In essence DMARC allows a business to publish a rule that says: all our emails are signed using DKIM, if you receive any email which claims to be from our domain but is not signed with DKIM, reject the message always.

DMARC was pioneered by PayPal, Yahoo and Gmail originally as a means to help PayPal reduce the number of phishing emails affecting its customers.

Like SPF, DMARC policies are published as DNS records and the recipient email server must retrieve the record and apply the policy to the emails received from that domain.

 

Help your team spot BEC fraud

Because technologies like SPF and DKIM are not universally deployed, there are additional steps you can take to help your staff identify potentially fraudulent emails or malicious attachments

Flag external emails

In recent years it has become increasingly popular for Exchange admins to add a custom mail rule which injects a ** Warning this email is from an external source ** at the start of emails received from outside the organisation.  The idea being, if the email claims to be from an internal user (eg an attempt at CEO Fraud) but the warning is displayed it will give the recipient a clue that there is something wrong with the email.

External flag is now built into Outlook

Microsoft has now made this feature available as standard within Exchange and the Outlook email clients display an External flag on each message header within the app – which avoids the need to alter the email message itself and aids readability.

You can find instructions to activate this feature through the Exchange PowerShell here.

 

Awareness training

Regular Security Awareness Training will help your staff to spot suspect emails and protect your business from fraud and malware loaded attachments.  No technical solution is 100% effective, and your staff remain the last line of defence against fraud and malware.  A regime of regular training will help keep cyber security at the front of people’s minds – ensuring it is business as usual and not an afterthought.

 

Report Phishing Emails

Microsoft has recently launched a free plugin for Office 365 which provides an easy way for your staff to report phishing and spam emails and this feedback will help improve the reliability of the anti-phishing system for all customers.

The NCSC is promoting the use of this feature to UK businesses along with simple instructions on how to configure the tool to send a copy of the phishing reports to the NCSC’s own Suspicious Email Reporting Service (SERS).

You can find the instructions from the NCSC here.

 

 

 

 

Subscribe to our monthly cybersecurity newsletter
Stay up-to-date with the very latest cybersecurity news & technical articles delivered straight to your inbox
We hate spam as much as you do. We will never give your email address out to any third-party.
cyber crime, Exchange Server, exim, microsoft, phishing, Security operations

Related Post

  • How the Phone-Wiping Banking Trojan BRATA is Becoming a More Advanced Threat

    By Mark Faithfull

    First discovered in 2019, BRATA malware is contained in a malicious app which victims are tricked into installing on their phones. BRATA is a banking Trojan that gains access to your bank, withdraws your funds,Read more

  • What is a SIM swap attack?

    By Mark Faithfull

    A SIM swap attack happens when a criminal uses social engineering to gain control of a victim’s mobile phone number so that SMS and calls made to the victim are received by the criminal.  ThisRead more

  • How To Become An Ethical Hacker

    By Mark Faithfull

    Everyone has heard of hacking, but not many will know of its less-sinister counterpart, ethical hacking. Rather than the image of an evil villain breaking into important software in a dingy basement, imagine someone workingRead more

  • Online Safety For Kids

    By Mark Faithfull

    Early use of digital technology has been shown to improve language skills in young children, as well as helping to promote their creativity and social development. However, it’s not without risks. Threats to children onlineRead more

  • stay safe from phishing emails

    10 Ways to Protect Yourself from Phishing Attacks

    By Ian Reynolds

    Email-based phishing attacks continue to soar at an all-time high. According to the State of the Phish™ Report 2018 by Wombat Security, it was reported that 76% of information security professionals had experienced phishing attacksRead more

NextPrevious

Recent Posts

  • ZuoRAT Malware Targets Home-Office Routers
  • Microsoft Patches Linux Cluster Bug
  • Log4Shell (still) actively exploited on VMware Systems
  • Vulnerability reported on QNAP NAS Devices
  • How the Phone-Wiping Banking Trojan BRATA is Becoming a More Advanced Threat

Recent Comments

    Archives

    • June 2022
    • May 2022
    • April 2022
    • March 2022
    • February 2022
    • January 2022
    • December 2021
    • November 2021
    • October 2021
    • September 2021
    • August 2021
    • July 2021
    • June 2021
    • May 2021
    • April 2021
    • March 2021
    • February 2021
    • January 2021
    • December 2020
    • November 2020
    • October 2020
    • September 2020
    • August 2020
    • July 2020
    • June 2020
    • April 2020
    • March 2020
    • February 2020
    • January 2020
    • December 2019
    • November 2019
    • October 2019
    • September 2019
    • August 2019
    • July 2019
    • June 2019
    • May 2019
    • April 2019
    • March 2019
    • February 2019
    • January 2019
    • December 2018
    • November 2018
    • July 2018
    • June 2018
    • April 2018
    • January 2018
    • October 2017
    BCS Cyber Essentials Cyber Essentials Cyber Essentials PLUS ISO 9001 ISO 27001
    information. secured.
    • Home
    • Our Services
      • Infrastructure Testing
        • Internal Network Penetration Test
        • External Network Penetration Test
        • Wireless Network Penetration Test
        • Vulnerability Assessment
        • Network Segregation Test
        • Voice over IP (VoIP) Penetration Test
      • Application Testing
        • Web Application Penetration Test
        • Mobile Application Penetration Test
        • Desktop Application Security Assessment
        • Citrix Breakout Test
      • Configuration Review
        • Windows Server Build Review
        • Linux Server Build Review
        • Citrix Configuration Review
      • Information Assurance
        • ISO 27001 Gap Analysis
      • Cyber Essentials
    • News
    • Articles
    • About
      • About SecureTeam
      • STORM Appliances
        • Installing a STORM Device
        • Returning a STORM Device
      • White-Label Consultancy
      • Jobs
      • Cookie Policy
      • Quality Policy
      • Security Policy
      • Privacy Notice
      • Website Terms & Conditions
    • Contact Us
    SecureTeam