CFO Phishing / Fraud Attacks – BEC (Business Email Compromise)

BEC (Business Email Compromise) incidents are on the rise, costing companies more than £9.5 billion over the last 5 years.
BEC attacks involve the use of multiple disciplines to be effective. The BEC campaigns are usually multi-staged as there is a degree of familiarity required with the company policies and staff for the attack to be carried out successfully.

While using domains that are virtually indistinguishable from the original in the initial phishing stage of the attack, the actual attacks are carried out using internal mail accounts that have been compromised, making detection of fraudulent mails that much harder. Some of the tactics used, include sending mails from high level staff, the attackers inserting themselves into a legitimate mail exchange, and the manipulation of mail filtering and rule to ensure the mail users are only communicating with them.

In companies with additional steps in place for payments (documentation or approval) the attackers found the relevant paper work on the company network and filled it out after researching previous use of that paperwork to ensure there are no suspect mistakes.

BEC (Business Email Compromise) campaigns involve the following stages;

Stage 1
• Credential harvesting – Typically found in large data dumps available online
• Social Engineering
• Phishing / Targeted Phishing

Stage 2
• Endpoint / User Reconnaissance – Learning about the language, templates
  and tone of messages on the network
• Learning about how the targeted user interact

Stage 3
• Manipulation of emails \ email system to send mail that appears to be from the
  relevant user, in the correct format
• Registering a domain \ Domains that are similar to the company domain

How can Brookcourt’s Cyber Surveillance Team help?

• Monitor for mentions of the company across criminal forums and the dark web
• Monitor for mentions of key staff members online, including criminal forums and the dark web
• Monitor domain registrations related to either the company directly, or, partners, third-parties and suppliers as well
• Provide additional information on any suspect indicators of compromise through our request for Intelligence service
• Provide security awareness videos to educate staff on the dangers of and indicators used in campaigns of this nature
• Provide machine readable intelligence to enrichment SIEM’s and Firewall’s to potentially malicious IP addresses logged on the network

What to watch for: C-Level and Finance Staff

• Suspicious or unexpected requests (over email or phone) from third-parties or internal staff involving payments – If in doubt be sure to use a number on file to contact the person in question to verify the payment request. Never use the number provided within the mail as this can easily be directed to the attacker
• Do not enable Macro’s on mail attachments, this is an age old and common form of infecting an endpoint with Malware

What to watch for: Cyber Security and IT staff

• Alerts on the network involving Trojan software
• Suspicious staff logins, typically out of hours, or from a suspect location
• Phishing mails targeting C-level staff, staff involved in the approval of, or payment of wire transfers or invoices either internally or for external parties
• Suspicious IP addresses showing up in monitoring software
• Suspicious connections coming from unexpected countries or regions

Contact Brookcourt Solutions for your complete Cyber Surveillance Managed Service:
t: 01737 886 111 . e: contact@brookcourtsolutions.com