Skip to main content

The evolution of business email compromise

16 February 2021

Healthcare cyber-security series.

New technology provides faster, more convenient, and efficient ways of doing business. In healthcare, we are seeing the emergence of cloud technologies to host data, an increase in digital communication, and mobile device adoption.1

Despite all the modern security solutions in our increasingly digital world, employees still make mistakes that may lead to data breaches. Just one click on a legitimate-looking phishing email scam can expose your entire email environment to attack by cyber-criminals. Human error caused 90% of data breaches in 2019, with staff making a variety of mistakes that put their company’s data or systems at risk.2

Organisations who suspect their email systems may have been compromised face costly investigations, including forensics services and data mining to find out whether sensitive information has been accessed or stolen. A cyber liability insurance policy can help to mitigate the cost, however phishing and business email compromise (BEC) present a continuous risk for companies.3

BEC is when a cyber-criminal uses compromised email credentials or spoofs a legitimate email address in order to induce an employee to make a wire transfer or other electronic payment to a bank account controlled by the cyber-criminal or, in some cases, to transfer sensitive data. According to reports by Beazley, the healthcare sector accounts for 22% of BEC incidents by industry.

An email account takeover is a compromise of email account credentials through phishing or malware that allows a cyber-criminal to access an email account and pose as the legitimate owner. Typically, the attacker sends a phishing email with a link to a website that looks genuine and prompts the user to enter their username and password. On the backend, the attacker has now acquired those credentials.4

What you need to know about BEC

A new league of cyber-criminals has emerged using modern techniques to leverage and monetise a compromised email account in several ways.

1. You're only as strong as your weakest link

One compromised account can allow an attacker to tailor the next attack in a way that will trick more users within the organisation to give up credentials. Beazley Breach Response Services regularly see email compromise incidents involving multiple users, and sometimes over 100 users are compromised in a single targeted phishing attack.

2. They're looking to intercept your existing conversations

The attacker will search for and exploit an existing email chain regarding a forthcoming payment, request a change in wire instructions, and receive the funds in their own bank account. A few years ago, fraudulent transfers were typically under £10,000, but attackers have become far bolder. In the past year, the amounts stolen in this way have increased significantly as attackers get more brazen and successful. One promising development over the past year has been the banks’ ability to freeze the transaction and return the funds if they are contacted quickly enough (within 24-48 hours) by the targeted organisation.

3. They can access other applications using your email

An attack might begin by compromising email inboxes and then move into the HR/payroll self-service portal to change direct deposits. Attackers search the compromised inbox to determine what portal the company uses, before accessing the portal and redirecting wages into their own account.

4. Sensitive information for sale

Attackers may steal sensitive information within the inbox. Such information could be used by the attacker or sold on the dark web.

Example: Office 365 business email compromise

A mortgage company was hit with a widespread phishing email containing a link that took users to a website appearing to be a Microsoft Office 365 login page, asking them to enter their credentials. The scam was familiar to the Beazley Breach Response Services (BBR) that had experienced an influx of incidents. BBR recommended that the mortgage company work with privacy counsel and a forensic firm that has handled hundreds of similar attacks. The forensic investigation revealed that over 100 users’ inboxes had been compromised in the attack, and because of the way in which the attacker accessed the inboxes, the forensic firm could not rule out the possibility that the attacker downloaded the entirety of each mailbox. In order to determine if there was an obligation to notify affected clients, 900,000 files were programmatically searched for personally identifiable information (PII). The search hits required a document review of tens of thousands of files in order to identify affected individuals and create an address list. Ultimately, 60,000 clients or prospective clients were notified. The legal fees, forensic costs, programmatic review, and document review alone cost nearly £1.5 million. The cost of notification, call centre, and credit monitoring was an additional £70,000.

5 top tips to preventing BEC

  1. Introduce multi-factor authentication (MFA) for remote access to your system and applications.

  2. Roll out anti-fraud training that teaches your staff to detect and avoid phishing and social engineering scams.

  3. Establish a process to confirm requests for fund transfers. For example, a code that a request must include that is not documented within the network.

  4. Reduce and limit the number of employees authorised to submit or approve wire transfers.

  5. Consider the following if a vendor or supplier requests changes to its account details (including, but not limited to, bank routing numbers, account numbers, telephone numbers, or contact information):
  • Confirm all requests by a direct call to the vendor or supplier. Use a phone number the vendor or supplier provided before the request was received.
  • Require review of all requests by a supervisor or next-level approver before making any changes.
  • Is the address or bank account to which the payment is to be sent different from previous payments to that vendor?
  • If the request is from a vendor, check for changes to business practices, such as whether earlier invoices were mailed while the new one was emailed or if earlier payments were by cheque and now the request is for a wire transfer.
  • Be suspicious of small changes in email addresses that mimic legitimate email addresses.

Follow our cyber security series for the latest on managing cyber risks and how to nurture a culture of compliance in your business.

Healthcare spotlight on cyber security

 

Sources

Beazley Breach Briefing 2019

1. The Telegraph: New Technologies Transforming Healthcare

2. Infosecurity Magazine

3. Beazley Preventing Email Compromise Fact Sheet

4. Beazley Breach Briefing 2019