Cloud-based Business Email Compromise

The FBI’s Internet Crime Complaint Center (IC3) published an alert warning that criminals are exploiting cloud-based email services to carry out business email compromise (BEC) attacks. The attackers are using phishing kits that impersonate email services like Google’s G Suite or Microsoft’s Office 365 in order to compromise corporate email accounts. Once they gain access to an account, they’ll try to request or intercept money transfers.

“Many phishing kits identify the email service associated with each set of compromised credentials, allowing the cyber criminal to target victims using cloud-based services,” the statement explains. “Upon compromising victim email accounts, cyber criminals analyze the content of compromised email accounts for evidence of financial transactions. Often, the actors configure mailbox rules of a compromised account to delete key messages. They may also enable automatic forwarding to an outside email account.”

IC3 says it’s received complaints totaling $2.1 billion in losses as a result of BEC attacks using “two popular cloud-based email services.” (The statement doesn’t specify which two services.)

“Over the last decade, organizations have increasingly moved from on-site email systems to cloud-based email services,” the alert says. “Losses from BEC scams overall have increased every year since IC3 began tracking the scam in 2013. BEC scams have been reported in all 50 states and in 177 countries. Small and medium-size organizations, or those with limited IT resources, are most vulnerable to BEC scams because of the costs of robust cyber defense.”

The FBI notes that most of these email services have security features that can help defend against BEC attacks, but these features often have to be manually configured.

On the human side, these attacks can potentially be thwarted at several steps during the process. Ideally, the email account owner would spot the initial phishing attack and avoid having their account compromised in the first place. Even if an account is compromised, however, employees can still prevent the attacker from succeeding by being wary of any requests involving money transfers, whether they come from a coworker or from a business partner. The FBI recommends verifying these requests in person or over the phone.

The FBI recommends implementing multi-factor authentication on all email accounts, as well as “[educating] employees about BEC scams, including preventative strategies such as how to identify phishing emails and how to respond to suspected compromises.” New-school security awareness training can provide your organization with an essential layer of defense by teaching your employees how to recognize suspicious activity.

The FBI’s Internet Crime Complaint Center has the story: https://www.ic3.gov/media/2020/200406.aspx