This week the US Federal Bureau of Investigations (FBI) urged businesses and remote workers to be extra wary of business email compromise (BEC) scams through cloud-based email, warning that attackers have redoubled their efforts to carry out BEC attacks in the wake of the COVID-19.
In a public service announcement released by the FBI's Internet Crime Complaint Center (IC3) on Monday, the feds warned that cybercriminals are specifically going after organizations that use cloud-based email systems with BEC attempts, cashing in on the fact that many victims will not have taken the care to turn on the security features on these platforms that need to be manually configured and enabled.
FBI's IC3 calculates that between January 2014 and October 2019 alone it has recorded $2.1 billion in actual losses from BEC scams targeting just two popular cloud-based email services.
Meanwhile, the FBI National Press Office on Monday also sent out a release that warned that the agency anticipates a general rise in BEC schemes to profit off of the chaos, urgency, and user distraction wrought by the global pandemic. For example, officials noticed that "there has been an increase in BEC frauds targeting municipalities purchasing personal protective equipment or other supplies needed in the fight against COVID-19."
BEC scams vary based on the creativity of the attacker, but the general jist is that they seek out well-placed individuals who control financial accounts at their organization. Using tactics like email account takeover or spoofing, the bad guys will impersonate a colleague or boss — sometimes the CEO, sometimes a vendor, sometimes a highly ranked individual in another department —and try to convince their mark via email to make a very expensive mistake. In some instances they will try to trick the person to transfer money to the fraudster for fictionally "legitimate" purposes or to make last-minute changes in details in an existing financial transaction to benefit the criminal.
These kinds of technology-enhanced cons have cost organizations millions of dollars at a time.
"It is important for leaders to recognize that BEC email fraud and email account compromise have grown to become probably the most expensive problem in all of cybersecurity," says Sherrod DeGrippo, senior director of threat research and detection for Proofpoint.
In fact, FBI IC3 recently noted in its 2019 Internet Crime Report that BEC scams accounted for 40% of the losses for cybercrime last year. That number is likely to spike even further as criminals see BEC in the pandemic as low-lying fruit. The rapid distribution of employees to makeshift work-from-home situations, the use of unfamiliar devices, the distractions and anxiety created by illness and business disruption, have all combined to create an ideal BEC hunting ground for the bad guys.
"Employees working from home are likely to be even more distracted than usual, with children, household chores, and coronavirus anxieties all competing for their attention," explains Seth Blank, vice president of standards and new technologies at Valimail. "That will make them even less attentive to the subtle clues that an email is a phishing attack. And, when working from home, they're also more likely to be using a small screen or even their cellphones to manage email, which can make some of these phish attempts — which used bogus sender identities — nearly impossible to detect."
Phishy Cloud-Based Email
They're also more likely to be communicating cloud-based email services, sometimes for the first time in an official business setting. According to the FBI, criminals have particularly been ramping up on opportunistic phishing campaigns using kits that impersonate popular cloud-based email services.
"Cloud services are particularly appealing for cybercriminals because users are typically familiar with these tools and are likely to click on messages associated with them," says DeGrippo. "Users also typically use cloud accounts outside of the security protection of their organization, opening them up to potential compromise."
Once the criminals get access into a victim's cloud account, FBI officials say they will often analyze the content of email stores to look for evidence of financial transactions. If they find it, sometimes they'll configure mailbox rules of that person to delete messages about transactions or automatically forward relevant messages to the attacker's outside email account. That gives them free reign to insert themselves in the communication chain between the victim and third parties like vendors or customers to try and get pending or future payments redirected to fraudulent accounts.
From a technical perspective, the FBI recommends that organizations head these cloud-based email BEC scams off at the pass by prohibiting automatic forwarding to external addresses, using multifactor authentication and prohibiting legacy protocols that can circumvent MFA, monitoring email settings changes, and configuring Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC) to prevent spoofing and validate email.
Meanwhile, according to the FBI, be on the lookout for these red flags for a BEC amid the COVID-19 lockdown:
- Unexplained urgency
- Last minute changes in wire instructions or recipient account information
- Last minute changes in established communication platforms or email account addresses
- Communications only in email and refusal to communicate via telephone or online voice or video platforms
- Requests for advanced payment of services when not previously required
- Requests from employees to change direct deposit information
Ultimately, it is going to be up to organizations to pass this knowledge on to workers who are already shooting from the hip in very unusual working circumstances.
"Working remotely 100 percent of the time is different than working from home once or twice a week," DeGrippo says. "Extra vigilance is required especially regarding the links you are clicking on, and the funds you wire, because remote working often means you aren't protected by the same safeguards your office has in place; nor is it easy to check with colleagues or partners to verify the authenticity of a payment request."
Check out this listing of free security products and services developed for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19.