Business Email Compromise, and its evil brother CEO Fraud, are both email based fraud attacks that seek to trick the victim into paying a fake invoice or transferring or diverting funds through some other kind of deception.  Read on to learn how to protect your business from BEC Fraud.

What is BEC fraud?

Business Email Compromise fraud is on the rise – according to the FBI it cost business more than Ransomware in 2020.  What is it, and how can you protect your business?

 An example of CEO Fraud: criminals send an email message that pretends to be from an authorised person (such as the CEO or the accounts department) asking for an enclosed invoice to be paid and usually providing some story as to why it needs to be paid immediately and why the sender is not able to speak on the phone to validate the instruction.  The email is sent from an external email account controlled by the criminals which either has been set up in the name of the CEO (using gmail or similar) or uses a close misspelling of the business name in an attempt to trick the recipient.

Increasingly threat actors are using phishing techniques to obtain credentials to email accounts, especially Microsoft Office 365, so they can send further email from valid email accounts and clean up any record of the fraudulent communications.

A Business Email Compromise fraud could look something like this: criminals use a phishing email to steal the Office 365 credentials for a member of your accounts department. They then use this email account to either send a fake invoice to a customer with their own bank details enclosed or they contact a supplier who owes you money and informs them that you have changed banks and all outstanding invoices should be paid to the new bank account (controlled by the criminals).

According to the 2020 Internet Crime Report from the FBI, Business Email Compromise cost businesses more than Ransomware in 2020 and the UK is the by far the worst affected country after the USA.

There are two kinds of defence against BEC attacks – technical changes to protect your emails and training to help your staff spot fraudulent emails when they arrive in their inbox.

Technical Defences

By configuring your email server and DNS records, you can help identify fraudulent emails on the way into your business and help your clients and suppliers spot fraudulent emails that claim to be from your organisation but have really been sent by criminals.

SPF – Sender Policy Framework

SPF is the Sender Policy Framework and it helps prevent criminals sending emails that have been spoofed to appear to have come from your domain.  The SPF configuration shows which servers are allowed to send emails on behalf of your domain and this is validated by the recipient’s email server.  If the SPF details do not match, the email message is more likely to be marked as spam by the receiving mail server.

SPF is configured through a DNS TXT record.

Details of how to configure SPF for Microsoft 365 can be found here.

DKIM – DomainKeys Identified Mail

DKIM provides a means to verify the domain name that sent an email and helps show that the message was not tampered with during transit across the internet.  DKIM uses public key encryption to digitally sign the email message when it is sent by the email server.

The sending server generates a hash value based on the content of the email message and then uses a private key associated with the domain to encrypt the hash and add it to the email header. The recipient email server looks up the public key in the sender’s DNS record and uses that to validate the signed hash in the email header.

If the email content was changed during transit or if the email was not truly sent from your email server, then the recipient email server will not be able to validate the DKIM hash and should mark the email as spam.

DKIM is not enabled automatically on custom domains for Office 365, instructions for enabling it can be found here.

Instructions for configuring DKIM for Exim mail server for Linux can be found here.

DMARC

DMARC is designed to protect against direct email domain spoofing. It defines how a recipient server is supposed to handle an email which fails SPF or DKIM validation.  In essence DMARC allows a business to publish a rule that says: all our emails are signed using DKIM, if you receive any email which claims to be from our domain but is not signed with DKIM, reject the message always.

DMARC was pioneered by PayPal, Yahoo and Gmail originally as a means to help PayPal reduce the number of phishing emails affecting its customers.

Like SPF, DMARC policies are published as DNS records and the recipient email server must retrieve the record and apply the policy to the emails received from that domain.

Help your team spot BEC fraud

Because technologies like SPF and DKIM are not universally deployed, there are additional steps you can take to help your staff identify potentially fraudulent emails or malicious attachments

Flag external emails

In recent years it has become increasingly popular for Exchange admins to add a custom mail rule which injects a ** Warning this email is from an external source ** at the start of emails received from outside the organisation.  The idea being, if the email claims to be from an internal user (eg an attempt at CEO Fraud) but the warning is displayed it will give the recipient a clue that there is something wrong with the email.

Microsoft has now made this feature available as standard within Exchange and the Outlook email clients display an External flag on each message header within the app – which avoids the need to alter the email message itself and aids readability.

You can find instructions to activate this feature through the Exchange PowerShell here.

Awareness training

Regular Security Awareness Training will help your staff to spot suspect emails and protect your business from fraud and malware loaded attachments.  No technical solution is 100% effective, and your staff remain the last line of defence against fraud and malware.  A regime of regular training will help keep cyber security at the front of people’s minds – ensuring it is business as usual and not an afterthought.

Report Phishing Emails

Microsoft has recently launched a free plugin for Office 365 which provides an easy way for your staff to report phishing and spam emails and this feedback will help improve the reliability of the anti-phishing system for all customers.

The NCSC is promoting the use of this feature to UK businesses along with simple instructions on how to configure the tool to send a copy of the phishing reports to the NCSC’s own Suspicious Email Reporting Service (SERS).

You can find the instructions from the NCSC here.