Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:00 PM
Connect Directly

Keeping Vigilant for BEC Amid COVID-19 Chaos

FBI and security experts warn that attackers are particularly targeting cloud-based email systems at the moment.

This week the US Federal Bureau of Investigations (FBI) urged businesses and remote workers to be extra wary of business email compromise (BEC) scams through cloud-based email, warning that attackers have redoubled their efforts to carry out BEC attacks in the wake of the COVID-19. 

In a public service announcement released by the FBI's Internet Crime Complaint Center (IC3) on Monday, the feds warned that cybercriminals are specifically going after organizations that use cloud-based email systems with BEC attempts, cashing in on the fact that many victims will not have taken the care to turn on the security features on these platforms that need to be manually configured and enabled.

FBI's IC3 calculates that between January 2014 and October 2019 alone it has recorded $2.1 billion in actual losses from BEC scams targeting just two popular cloud-based email services.  

Meanwhile, the FBI National Press Office on Monday also sent out a release that warned that the agency anticipates a general rise in BEC schemes to profit off of the chaos, urgency, and user distraction wrought by the global pandemic. For example, officials noticed that "there has been an increase in BEC frauds targeting municipalities purchasing personal protective equipment or other supplies needed in the fight against COVID-19."

BEC scams vary based on the creativity of the attacker, but the general jist is that they seek out well-placed individuals who control financial accounts at their organization. Using tactics like email account takeover or spoofing, the bad guys will impersonate a colleague or boss — sometimes the CEO, sometimes a vendor, sometimes a highly ranked individual in another department —and try to convince their mark via email to make a very expensive mistake. In some instances they will try to trick the person to transfer money to the fraudster for fictionally "legitimate" purposes or to make last-minute changes in details in an existing financial transaction to benefit the criminal.

These kinds of technology-enhanced cons have cost organizations millions of dollars at a time. 

"It is important for leaders to recognize that BEC email fraud and email account compromise have grown to become probably the most expensive problem in all of cybersecurity," says Sherrod DeGrippo, senior director of threat research and detection for Proofpoint.

In fact, FBI IC3 recently noted in its 2019 Internet Crime Report that BEC scams accounted for 40% of the losses for cybercrime last year. That number is likely to spike even further as criminals see BEC in the pandemic as low-lying fruit. The rapid distribution of employees to makeshift work-from-home situations, the use of unfamiliar devices, the distractions and anxiety created by illness and business disruption, have all combined to create an ideal BEC hunting ground for the bad guys.

"Employees working from home are likely to be even more distracted than usual, with children, household chores, and coronavirus anxieties all competing for their attention," explains Seth Blank, vice president of standards and new technologies at Valimail. "That will make them even less attentive to the subtle clues that an email is a phishing attack. And, when working from home, they're also more likely to be using a small screen or even their cellphones to manage email, which can make some of these phish attempts — which used bogus sender identities — nearly impossible to detect."

Phishy Cloud-Based Email 

They're also more likely to be communicating cloud-based email services, sometimes for the first time in an official business setting. According to the FBI, criminals have particularly been ramping up on opportunistic phishing campaigns using kits that impersonate popular cloud-based email services. 

"Cloud services are particularly appealing for cybercriminals because users are typically familiar with these tools and are likely to click on messages associated with them," says DeGrippo. "Users also typically use cloud accounts outside of the security protection of their organization, opening them up to potential compromise."

Once the criminals get access into a victim's cloud account, FBI officials say they will often analyze the content of email stores to look for evidence of financial transactions. If they find it, sometimes they'll configure mailbox rules of that person to delete messages about transactions or automatically forward relevant messages to the attacker's outside email account. That gives them free reign to insert themselves in the communication chain between the victim and third parties like vendors or customers to try and get pending or future payments redirected to fraudulent accounts. 

From a technical perspective, the FBI recommends that organizations head these cloud-based email BEC scams off at the pass by prohibiting automatic forwarding to external addresses, using multifactor authentication and prohibiting legacy protocols that can circumvent MFA, monitoring email settings changes, and configuring Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC) to prevent spoofing and validate email.

Meanwhile, according to the FBI, be on the lookout for these red flags for a BEC amid the COVID-19 lockdown:

  • Unexplained urgency
  • Last minute changes in wire instructions or recipient account information
  • Last minute changes in established communication platforms or email account addresses
  • Communications only in email and refusal to communicate via telephone or online voice or video platforms
  • Requests for advanced payment of services when not previously required
  • Requests from employees to change direct deposit information

Ultimately, it is going to be up to organizations to pass this knowledge on to workers who are already shooting from the hip in very unusual working circumstances. 

"Working remotely 100 percent of the time is different than working from home once or twice a week," DeGrippo says. "Extra vigilance is required especially regarding the links you are clicking on, and the funds you wire, because remote working often means you aren't protected by the same safeguards your office has in place; nor is it easy to check with colleagues or partners to verify the authenticity of a payment request."

Related Content:

Check out this listing of free security products and services developed for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19. 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/1/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-01
CMS Made Simple 2.2.14 allows an authenticated user with access to the Content Manager to edit content and put persistent XSS payload in the affected text fields. The user can get cookies from every authenticated user who visits the website.
PUBLISHED: 2020-10-01
GetSimple CMS 3.3.16 allows in parameter 'permalink' on the Settings page persistent Cross Site Scripting which is executed when you create and open a new page
PUBLISHED: 2020-10-01
WebsiteBaker 2.12.2 allows SQL Injection via parameter 'display_name' in /websitebaker/admin/preferences/save.php. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PUBLISHED: 2020-10-01
A vulnerability has been discovered in the ace.xmd parser that results from a lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. This can result in denial-of-service. This issue affects: Bitdefender Engines version 7.84892 and prior vers...
PUBLISHED: 2020-10-01
Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP. The affected versions are from before version 3.4.6 and from 3.5.0 before 3.5.1.