The Threat of Email Compromise

Ransomware attacks grab most of the headlines—for instance, the Colonial Pipeline attack earlier in 2021—but in terms of direct loss, Business Email Compromise/Email Account Compromise (BEC/EAC) was the top crime reported to the FBI’s Internet Crime Complaint Center (IC3).[1] BEC has evolved over the decade and is now also referred to as EAC in acknowledgement that personal email accounts are also targets.

According to the IC3 Internet Crime Report for 2020 more than $1.8 billion was lost in 2020 to BEC/EAC attacks
More than 50 times the money lost in direct payments to ransomware attacks
BEC/EAC attacks have nearly eight times as many complains to the FBI compared to ransomware

According to the IC3 Internet Crime Report for 2020, more than $1.8 billion was lost in 2020 to BEC/EAC attacks. That is more than 50 times the money lost in direct payments to ransomware attacks. BEC/EAC attacks are also much more common with nearly eight times as many complaints to the FBI compared to ransomware—19,369 BEC complaints compared to 2,474 ransomware complaints in 2020.

Ransomware is still a serious threat, including the threat of business interruption, but you are more likely to be targeted in a BEC/EAC attack than a ransomware attack.

Anatomy of a BEC/EAC attack

A BEC/EAC attack in 2021 usually starts with one of the following:

A successful phishing attack against an individual – A fraudulent email is sent to the individual, usually as a part of a large campaign, and that email tricks the user into entering their credentials into a fake login form, which then passes those credentials to the attacker.

A successful social engineering attack – Social engineering attacks are most often carried out over the phone but can also be accomplished via email or instant messaging, or even in person. The attacker will contact the victim and convince them to provide information or inappropriate access to the attacker. In a BEC/EAC attack, the victim’s email login credentials are most valuable.

A successful computer intrusion – Computer intrusion in this context is a catch-all for malware and active intrusion of computer systems, resulting in credential compromise.

After gaining access to the victim’s email account, the attacker may lie in wait until a valuable transaction is sent over email. If the account compromised isn’t a valuable enough target, the attacker may use the victim’s account to launch more attacks against the victim’s contacts.

BEC/EAC losses impact organizations in all industries – the common thread is conducting business via wire transfer. The attacker in each instance waited until an email with wire instructions was received or was expected and replaced legitimate instructions with fraudulent instructions. Once the wire is sent to the wrong bank, the funds are transferred quickly to other banks, often overseas. In many of these cases, the victim did not recognize the wire was missing for a month or longer, well past the window to recover those funds.

How to protect yourself and your company

The good news is that you can protect yourself and your organization from these attacks, but it will require vigilance and some inconvenience. Below is a summary of steps you can take to protect personal and company email accounts:

Train your employees to recognize phishing emails. Common themes in phishing emails are poor grammar and spelling, a sense of urgency, or a link you must click to log in and fix a problem or verify information.

Do not click links in emails, instant messages, or text messages.

Enable multi-factor authentication (MFA) on all accounts that support it. With MFA enabled, even if your credentials are compromised, an attacker will not be able to access your account.

Insist that payments be sent by physical check, not a wire transfer, whenever possible.

If a wire must be sent, call a known number on file to verify the wiring instructions when sending a wire to a company for the first time and any time thereafter when wire instructions change. If you don’t know the sender’s phone number, call the company’s main number. Do not rely on information in the email, including the phone number. If you do call that number, you may be calling the attacker.

Regularly update your computer, cell phone, and any other device you use to access email with all security patches.

For more information about the risks of BEC/EAC and how they may affect you, look to the professionals at DHG. Our cybersecurity teams combine extensive experience and comprehensive insights on the threats you may experience. To learn more, please reach out to us at itadvisory@dhg.com.

About the Author – Jeremy Gilbert serves as a director in charge of the digital forensics lab in DHG’s Charleston, SC office and manages a team of data analytics professionals around the firm. He can be reached at Jeremy.Gilbert@dhg.com.