Business Email Compromise (BEC) is a type of social engineering attack that's growing ever more sophisticated. Microsoft recently broke up a large-scale BEC campaign that used cloud-based infrastructure to target mailboxes to intercept financial transactions. The FBI reports business email compromises at nearly $2 billion in 2020. In this post, we’ll talk about how using RiskLens and FAIR to quantify BEC scams and greatly improve email risk management.
What is Business Email Compromise?
According to the FBI, Business Email Compromise starts with a criminal sending an email that appears to come from a legitimate source with a legitimate request. These types of attacks can occur through different means, but the most common are related to social engineering email attacks and spear phishing or man-in-the-middle phishing attacks. The cyber-criminal usually is hoping for financial gain or to gain information for use against an organization or an employee.
Even though email is the most common means of communication for this type of attack, there are different ways criminals use email to conduct BEC scams. According to the FBI, there are five specific types of BEC scams that most commonly affect organizations:
- CEO frauds: The attackers position themselves as the CEO or executive of a company and typically email an individual within the finance department, requesting funds to be transferred to an account controlled by the attackers.
- Direct deposit/payroll diversion scams: A criminal will attempt to contact targeted HR and payroll staff, pretending to be a current employee who needs to update banking details for direct deposit.
- Tax form scams: Targeting HR or accounting team members and requesting W2 details for the organization’s staff. The purpose of this is to gain personal identification information of employees to either steal identities or submit false tax returns in order to obtain the tax refund.
- False invoice schemes: Attackers commonly target foreign suppliers through this tactic. The scammer acts as if they were the supplier and request fund transfers to fraudulent accounts.
- Data theft: These types of attacks typically target HR employees in an attempt to obtain personal or sensitive information about individuals within the company, especially high-level executives. This data can then be leveraged for future attacks such as CEO fraud.
Learn more about BEC through the FBI’s Internet Crime Report.
Quantifying Business Email Compromises with FAIR™ and RiskLens
In 2019, the FBI’s Internet Crime Complaint Center (IC3), recorded over 20,000 complaints regarding BEC with an estimated loss of $1.7 billion across multiple industries. There’s no question that your organization is at risk; the questions are, what’s your probable loss exposure and what’s the appropriate level of security investment? FAIR analysis, the international standard for quantifying cyber risk in financial terms, run through the RiskLens platform, can give you the answers.
Let’s walk through the analysis of a BEC risk scenario. I’ve picked a common one that I experienced as a Threat Intelligence Analyst. I’ve gone ahead and identified the asset, threat and effect below along with a loss statement.
Asset: Accounting Application
Threat: External Malicious Actor
Loss Statement: Assess the risk associated to an external malicious actor convincing a privileged insider via social engineering to alter vendor payment data in the accounting application.
Frequency: How often do we expect an external malicious actor to attempt to convince a privileged insider to alter vendor payment data in our accounting application via social engineering?
Magnitude: How much financial loss do we expect to experience each time this event occurs?
Below is an example attack chain which is a simple way to demonstrate how an external malicious actor will attempt to use an insider to alter data in accounting applications.
Figure 1: Example Attack Chain
Utilizing an attack chain is extremely helpful to clearly articulate how you suspect the event to unfold when speaking to SMEs and gathering data. Some questions to consider during this stage are:
- Has this type of event happened in the past?
- How many phishing campaigns are reported in our organization, per year?
- Are there any controls that would prevent a malicious email from landing in an employee’s inbox?
Once the email is in the employee’s inbox, is there anything that would prevent the employee from successfully altering data? Separation of duty controls where each part of the process to alter data and confirm recipient is signed off by different individuals, may offer a level of protection
Event Magnitude (Financial Loss)
We consider these likely ways that loss would occur:
- Incident Response Management
- Affected Party (i.e. Customer) Notification
- Regulator Notification
- Credit Monitoring Provided to Affected Parties
- Litigation Cost/ Regulatory Fines/Settlements'
Current State of Financial Risk
With data in hand, we can run an analysis on the platform showing our current level of probable loss exposure from Business Email Compromise.
Figure 2: Example Reporting
The reporting shows financial loss exposure on both an annual and per event basis; as well as showing how likely an event is to occur.
Please note: the results above are for example purposes only and are not meant to represent the scoped scenario for BEC.
Evaluating Risk Reduction Alternatives for BEC
Below are some examples of potential risk reduction options we can consider, determining how they will effect risk by reducing event frequency or loss magnitude.
- Increased employee training/awareness
- New/enhanced Identity Access Management controls
- New/enhanced Data Loss Prevention (DLP) controls
- New/enhanced Separation of Duty controls
Using the RiskLens platform, we can run “What If” analyses to change one or more of your inputs and evaluate the resulting change in loss exposure, showing effect of controls against the baseline in annualized loss exposure.
With quantitative analysis, we can get ahead of the threat actors, take reasonable cost-effective steps to keep BEC risk within tolerance levels and balance our spending across the security budget based on a solid understanding of cyber risk in financial terms.