In the digital age, business email compromise (BEC) has emerged as a significant threat to companies of all sizes. BEC is a type of phishing attack where a cybercriminal impersonates a high-ranking executive to trick an employee, customer, or vendor into transferring money or sensitive data.
This can be a particularly effective phishing attack, because there is usually implicit trust in the name the threat actor is acting under. This blog will explore two real-life examples of BEC and discuss how businesses can protect themselves from these attacks.
It should also be noted that these two people were not existing clients of SpireTech.
Case Study 1: Phishing for Identities
Our first story involves an owner of a prospective client company who fell victim to a sophisticated phishing attack. She received an email from what appeared to be a trusted outside source. Unfortunately, the email was a phish, and the attackers were able to obtain her password.
With her password, they had access to her professional contacts. They began to exfiltrate her emails and communicate as her, launching additional phishing attempts to people in her trusted circle.
The hackers’ motive was the theft of personally identifiable information (PII) for identity theft. They used her account to post a job listing on a job board and began collecting resumes under the guise of the company. This gave them access to other people’s personal information beyond their original target.
To stop the threat actors, the police eventually got involved, and the company had to make a cyber insurance claim. An event like this can be catastrophic for the business and the people involved.
Case Study 2: Relentless Spam
In another instance, an owner of a prospective client company had his password phished, and his account was used to send out massive amounts of spam. This led to the domain of his reputable business being blacklisted, which caused huge deliverability issues for several weeks.
Spamming is not only annoying and unethical, but also illegal in many countries, as it violates the terms and conditions of the email service providers and the anti-spam laws of the governments. When an email account is used to send out spam, it can damage the reputation and credibility of the domain name associated with it. When a domain name is used to send out spam, it can be blacklisted by several email servers, which means that they will reject or mark as spam any emails coming from that domain name. This can cause huge issues for several weeks, as the legitimate emails from that domain name will not reach their intended recipients.
Having a domain blacklisted is not only damaging to the reputation, but also to the business operations of the owner and potentially the employees of the company. The hackers may have accessed their sensitive information, such as personal details, financial records, contracts, and invoices, that were stored in their email account or attached to their emails.
The hackers may have also installed malware or spyware on personal and/or company devices, which could monitor their activity and potentially steal more data from the owners, employees and the company as a whole. Because they were not a SpireTech client, we don’t know if any data was exfiltrated or stolen.
Protecting Your Business from BEC
The best protection against BEC is multi-factor authentication (MFA). However, even MFA isn’t foolproof. There are man-in-the-middle techniques that are quite common today that can steal your session and give access to a hacker, even if you are using MFA.
Be aware of attachments that require you to enter your password again or claim to be encrypted. Be cautious of webpages that pop up asking you to authenticate after you clicked a link or attachment from an email.
MFA paired with vigilance will go far to protect a business.
Businesses must stay alert against BEC attacks by educating their employees about the dangers of phishing and implementing robust security measures such as MFA and security training for employees. Remember, in the world of cybersecurity, prevention is always more effective than a solution after an incident.