FBI Recommendations on Business Email Compromise (BEC)

The menace of Business Email Compromise (BEC) is often overshadowed by ransomware but it’s something small and medium-sized businesses shouldn’t lose sight of.

The FBI Internet Crime Complaint Center (IC3) has alerted US businesses to ongoing attacks targeting organizations using Microsoft Office 365 and Google G Suite.

Warnings about BEC are specifically to those carried out against the two largest hosted email services, and the FBI believes that SMEs, with their limited IT resources, are most at risk of these types of scams:

Between January 2014 and October 2019, the Internet Crime Complaint Center (IC3) received complaints totaling over $2.1 billion in actual losses from BEC scams targeting Microsoft Office 365 and Google G Suite.

As organizations move to hosted email, criminals migrate to follow them.

As with all types of BEC, after breaking into the account, criminals look for evidence of financial transactions, later impersonating employees to redirect payments to themselves.

For good measure, they’ll often also launch phishing attacks on contacts to grab even more credentials, and so the crime feeds itself a steady supply of new victims.

Turn on Multi-Factor Authentication (MFA)

One takeaway is that despite the rise in BEC attacks on hosted email, this type of email is still more secure than the alternatives provided admins turn on the security features that come with it.

The FBI has the following general advice:

  • Enable multi-factor authentication for all email accounts
  • Verify all payment changes via a known telephone number or in-person

And for hosted email admins:

  • Prohibit automatic forwarding of email to external addresses
  • Add an email banner to messages coming from outside your organization
  • Ensure mailbox logon and settings changes are logged and retained for at least 90 days
  • Enable alerts for suspicious activity such as foreign logins
  • Enable security features that block malicious email such as anti-phishing and anti-spoofing policies
  • Configure Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC) to prevent spoofing and to validate email

The FBI also recommends prohibiting legacy protocols that can be used to circumvent multi-factor authentication, although this needs to be done with care as some older applications might still depend on these.

%d bloggers like this: