Business Email Compromise, or BEC, is a rapidly growing type of cybercrime. In 2021, the FBI received 19,954 complaints with adjusted losses of nearly $2.4 billion. BEC is a sophisticated attack where the sender’s email is either compromised or spoofed to attempt impersonation. Then an email is sent out where the unknowing sender is impersonated, and some sort of scam or money transfer is requested. The scams can range from payment requests, fake invoices, and solicitations for gift cards to direct-deposit change requests made to HR departments.
The popularity of these BEC attacks has caused an increase in assaults on corporate email systems. For example, one of the more common attacks our IT department has witnessed over the past three months is focused on Microsoft 365 accounts. These attacks, often specifically targeting individuals at credit unions, attempt to acquire the end user’s login information by leveraging a look-alike domain (the name of a website). Look-alike domains are very similar to the victim’s domain but not quite. A cursory glance makes it seem like these domains are completely authentic and trustworthy, which is why they are often quite effective at tricking the end user into revealing their login credentials. Some examples of these types of look-a-like domains are as follows:
As you can see in these examples, the changes are subtle and can be difficult to spot unless you are looking closely and paying attention.
Further, in these BEC attempts, the look-alike domain is stacked with a man-in-the-middle attack. This is where attackers will send a phishing email requesting that the employee click on a link to access an encrypted file. This link goes to a malicious site run by the attacker, such as the following:
https://login-microsoftonline[.]corporate0ne[.]coop/?
This site, a fake Microsoft365 login page, looks identical to the original; the only difference is the URL and domain at the top in the address bar of a web browser. These types of attacks have been known to leverage an advanced hacking technique called “reverse proxy.” This technique can allow the attacker to circumvent the implementation of multifactor authentication or MFA. Once an account is compromised, the attacker can go through the user’s inbox, looking for opportunities to attack other companies with any of the above-mentioned scams.
Mitigating the risks: Countermeasures your credit union can implement
Several countermeasures can be implemented to help your credit union mitigate any ongoing BEC attacks:
One of the best ways to leverage these protocols is by not allowing blind whitelists to exist in your email flow. If you need to prevent a certain email address or domain from going to end users’ spam folders, you can create a whitelist with DMARC check. This will prevent you from blindly passing phishing emails to end users’ inboxes without verifying the emails’ validity. Additionally, most email servers allow you to enforce SPF and/or DKIM verification before emails make it to the end user’s mailbox.
For more information about email authentication protocols, check out the following resources:
In addition, to learn more about common indicators of phishing/BEC attempts along with tips on how to avoid becoming a victim, read the NCUA's risk alert from earlier this year.
Today’s bad actors are tricky, and all financial institutions, regardless of size, are vulnerable. We encourage you to be extra vigilant to stay extra safe.
Dan Seas
AVP Information Security & Cyber Defense