However, a few prominent ransomware occurrences stand out of worldwide news sources, it is indispensable to not disregard other digital dangers that are much of the time utilized as introductory assault vectors. Danger entertainers keep on sending phishing and business email compromise (BEC) crusades to gather client certifications, regularly prompting substantially more significant episodes. Microsoft 365 Defender researchers revealed that they dismantled the cloud-based infrastructure behind a large-scale BEC campaign. Initial access was gained via targeted phishing emails that redirected the recipients to a fake Microsoft sign-in page. If credentials were entered, the threat actor was then able to access the target’s mailbox in order to facilitate the BEC campaign as well as exfiltrate data via email forwarding rules. The threat actors used a number of IP address ranges from several reputable cloud providers in order to hide in legitimate traffic and used the cloud-based infrastructure to automate their operations. BEC attacks continue to grow in stealth and sophistication, which can wreak havoc on organizations. User awareness and the use of multi-factor authentication (MFA) likely would have prevented or reduced the impact of a number of BEC attacks.
Previously named as Man-in-the-Email tricks, BEC aggressors depend vigorously on friendly designing strategies to deceive clueless representatives and leaders. Frequently, they imitate CEO, or any chief approved to do wire transfers. Moreover, fraudsters also carefully research and closely monitor their potential target victims and their organizations.
I discovered a widespread business email compromise (BEC) phishing campaign targeting employees across multiple industries and organizations by impersonating senior executives via email spoofing. Threat actors claim a planned board meeting needs to be rescheduled and request participation in a Doodle poll to choose a new date. The polling/survey link actually redirects users to an Office 365 credential theft site and any entered information submitted is sent to the threat actors. Using the stolen credentials, threat actors could gain access to highly sensitive data and perpetuate their malicious campaign. In a BEC scam, criminals send an email message that appears to come from a known source making a legitimate request, like in these examples:
A vendor your company regularly deals with sends an invoice with an updated mailing address.
A company CEO asks her assistant to purchase dozens of gift cards to send out as employee rewards. She asks for the serial numbers so she can email them out right away.
A homebuyer receives a message from his title company with instructions on how to wire his down payment.
Versions of these scenarios happened to real victims. All the messages were fake. And in each case, thousands—or even hundreds of thousands—of dollars were sent to criminals instead.
How Criminals Carry Out BEC Scams
A scammer might:
Spoof an email account or website. Slight variations on legitimate addresses (john.kelly@examplecompany.com vs. john.kelley@examplecompany.com) fool victims into thinking fake accounts are authentic.
Send spear phishing emails. These messages look like they’re from a trusted sender to trick victims into revealing confidential information. That information lets criminals access company accounts, calendars, and data that gives them the details they need to carry out the BEC schemes.
Use malware. Malicious software can infiltrate company networks and gain access to legitimate email threads about billing and invoices. That information is used to time requests or send messages, so accountants or financial officers don’t question payment requests. Malware also lets criminals gain undetected access to a victim’s data, including passwords and financial account information.
Attorney Impersonation: This type of attack takes advantage of the fact that low-level employees within an organization are likely to comply with requests from a lawyer or legal representative because they don’t know how to validate the request. This approach often makes the request seem time-sensitive and confidential to prevent independent verification.
Data Theft: BEC attacks are not only designed to steal money from a company. This type of attack targets HR and Finance personnel and attempts to steal sensitive information about an organization’s employees. This information can then be sold on the Dark Web or used in planning and executing future attacks.
Between 2019 through 2021, the FBI - IC3 has gotten an increment of BEC complaints including the utilization of virtual meeting platforms to instruct victims to send unapproved transfer of money to false accounts. A virtual meeting stage can be characterized as a sort of coordinated effort strategy utilized by people all over the planet to share data through audio, video conferencing, screen sharing and online courses.
Hoodlums utilize virtual meeting stages to direct BEC tricks in more than one way:
Compromising an employer or financial director's email, such as a CEO or CFO, and requesting employees to participate in a virtual meeting platform where the criminal will insert a still picture of the CEO with no audio, or "deep fake1" audio, and claim their video/audio is not properly working. They then proceed to instruct employees to initiate transfers of funds via the virtual meeting platform chat or in a follow-up email.
Compromising employee messages to embed themselves in working environment gatherings through virtual meeting stages to gather data on a work's everyday tasks.
Compromising a business' email, like the CEO, and sending satirize/spoofed messages to employees teaching them to start moves of assets/funds, as the CEO professes to be involved in a virtual gathering and unfit to start an exchange of assets by means of their own PC.
Confirm the use of outside virtual meeting platforms not normally utilized in your internal office setting.
Use secondary channels or two-factor authentication to verify requests for changes in account information.
Ensure the URL in emails is associated with the business/individual it claims to be from.
Be alert to hyperlinks that may contain misspellings of the actual domain name.
Refrain from supplying login credentials or PII of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate.
Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender's address appears to match who it is coming from.
Ensure the settings in employees' computers are enabled to allow full email extensions to be viewed.
Monitor your personal financial accounts on a regular basis for irregularities, such as missing deposits.
Scenario 2:
Similarly, Cloud-based email services are hosted subscription services that enable users to conduct business via tools such as email, shared calendars, online file storage, and instant messaging.
RECOMMENDATIONS FOR END USERS
Enable multi-factor authentication for all email accounts.
Verify all payment changes and transactions in person or via a known telephone number.
Educate employees about BEC scams, including preventative strategies such as how to identify phishing emails and how to respond to suspected compromises.
RECOMMENDATIONS FOR IT ADMINISTRATORS
Prohibit automatic forwarding of email to external addresses.
Add an email banner to messages coming from outside your organization.
Prohibit legacy email protocols, such as POP, IMAP, and SMTP1, that can be used to circumvent multi-factor authentication.
Ensure changes to mailbox login and settings are logged and retained for at least 90 days.
Enable alerts for suspicious activity, such as foreign logins.
Enable security features that block malicious email, such as anti-phishing and anti-spoofing policies.
Configure Sender Policy Framework, Domain Keys Identified Mail, and Domain-based Message Authentication Reporting and Conformance to prevent spoofing and validate email.
Disable legacy account authentication.
The most effective method to Protect Yourself
Make yourself a harder target
Information about you that's easily viewed on your work and private websites (including social media accounts) can be used by criminals to make their phishing emails appear more convincing.
Be cautious with what data you share on the web or via virtual entertainment. By transparently sharing things like pet names, schools you joined in, connections to relatives, and your birthday, you can give a trickster all the data they need to figure your secret word or answer your security questions.
Try not to tap/click on anything in a spontaneous email or instant message requesting that you update or confirm account data. Look into the organization's telephone number all alone (don't utilize the one a potential trickster is giving) and call the organization to inquire as to whether the solicitation is genuine.
Cautiously look at the email address, URL, and spelling utilized in any correspondence. Con artists utilize slight contrasts to deceive your eye and gain your trust.
Be cautious what you download. Never open an email connection from somebody you don't have any idea and be careful about email connections sent to you.
Set up two-factor (or multifaceted) verification regardless that permits it, and never handicap it.
Confirm installment and buy demands face to face if conceivable or by calling the individual to ensure it is real. You ought to confirm any adjustment of record number or installment systems with the individual making the solicitation.
Be particularly watchful if the requestor is squeezing you to rapidly act.
Combatting the fast-growing threat of business email compromise is not easy—but it is possible. Preventing business email compromise attacks requires a coherent strategy that encompasses security awareness training, email security technology, and changes to internal processes.