The Health Sector Cybersecurity Coordination Center (HC3) within the U.S. Department of Health and Human Services (HHS) has identified business email compromise (BEC) as one of the most economically damaging online crimes. In its sector-specific alerts, HC3 makes detailed use of the fact that most people rely on email to conduct personal and professional business. BEC is a growing problem that targets organizations of all sizes in all industries around the world. These scams expose organizations to billions of dollars in potential losses.
“BEC is a sophisticated type of spear-phishing attack in which scammers use email to trick someone into sending money or divulging confidential company information,” HC3 details. “Using social engineering, criminals pose as someone they trust and request payment for a fake bill or sensitive data that can be used in another scam. It is one of the most damaging and costly types, costing businesses billions of dollars each year, mitigating widespread identity theft, and protecting accidentally leaked secrets such as intellectual property. It could force companies to process data.”
Last year, HC3 published an overview of BEC threats in the healthcare and public health (HPH) sector, and Sector Alert examines this type of cybercrime from a comprehensive perspective across multiple industries. Below, we provide an overview of BEC, types of BEC attacks, why BEC attacks are difficult to detect, examples of BEC attacks, MITER ATT&CK tactics, techniques, and procedures (TTPs), and recommended defenses and mitigations.
He added that BEC attacks differ from other types of email-based attacks in several key areas. “First, they typically do not contain malware, malicious links, or email attachments. These are social engineering attacks that are primarily carried out via email. Email security filters do not allow BEC attacks. BEC attacks are particularly dangerous because they may not be able to identify the The first is to target specific individuals within an organization. This type of attack does not rely solely on technical vulnerabilities; it relies on trusting authority, acting impulsively, and They are highly effective because they take advantage of the human tendency to respond emotionally to requests. Third, they are tailored to the intended victim and are often the organization in question. Contains advanced research.”
HC3 elaborated that in a typical BEC scam, the fraudster researches the target and finds a way to misrepresent their identity. “In some cases, they may create a fake website or register a company with the same name as yours in another country. Once they gain access, the scammers can monitor your email and identify who Identify whether you are sending or receiving money. Also look at conversation patterns and invoices. Scammers will ask for money, gift cards, or information in an attempt to gain your target's trust. During the process, the scammer spoofs the email domain of one of the parties. The email address may be one or two characters different or may be the correct email address from a different domain.
In addition to bypassing email security filters, HC3 shows that BEC attacks are low-volume, use legitimate sources or domains, can come from legitimate email accounts, and are DMARC (domain-based (message authentication, reporting), making it difficult to identify. and suitability) checks.
Unusual spikes in email traffic can alert your email security filter to an ongoing attack. However, the volume of BEC attacks is very small and often consists of just one or two emails. You can do this without spiking your email traffic. This low volume also allows BEC campaigns to change their source IP addresses regularly, making them difficult to block. Large-scale phishing attacks often originate from IP addresses that quickly end up on blocklists. BEC attacks are low in volume and may use IP addresses that are neutral or have a good reputation as sources. They also use email domain spoofing to make it appear as though the email is coming from a real person.
HC3 also notes that in a BEC attack, a previously compromised email inbox can be used to send a malicious message without the person's knowledge, making it difficult to identify the email as legitimate. I said it could be coming from an email address. DMARC protocol for identifying email sent from a domain without authorization. Helps prevent domain spoofing. BEC campaigns can pass through DMARC if an organization does not configure DMARC to strictly block email, or if an attacker sends the email from a legitimate source.
As BEC attacks impact organizations in industries around the world, multiple cybersecurity research firms have proposed their own best practices on how best to prevent and defend against these types of crimes. They are integrated here for public consumption.
HC3 reminded HPH departments to protect all channels exploited by attackers with effective BEC defenses. These include corporate email, personal webmail, business partner email, cloud apps, web domains, the web, and your own actions. Because BEC relies on intentional (albeit unwitting) victims, attack visibility, email protection, and user awareness play key roles in effective defense.
Users should also be trained to look for some warning signs that an email may not be what it seems. Request that you not communicate with others. Spoofed emails often ask recipients to keep their requests confidential or to communicate with the sender only by email. Requests that bypass normal channels. Language issues and unusual date formats. Email domains and “reply-to” addresses that don't match the sender's address. Robust email security, domain authentication, account protection, content inspection, and user awareness must work together in a holistic manner.
If your organization falls victim to a BEC scam, it's important to act quickly, including contacting your financial institution immediately and asking them to contact the financial institution to which you transferred money. Contact your local FBI field office to report the crime. File a complaint with FBI IC3. and contact the Secret Service Field Office Cyber Fraud Task Force.
Sector Alert urges healthcare organizations to use secure email solutions like Office 365 that automatically flag and delete suspicious emails or issue alerts if the sender is not verified. I called out. Certain senders may be blocked and their emails may be reported as spam. Defender for Office 365 adds more BEC prevention features, including advanced phishing protection and suspicious transfer detection. Organizations should also enable multi-factor authentication to make email more difficult to compromise. Multi-factor authentication requires a code, PIN, or fingerprint in addition to a password to log in.
Employees should know how to simulate BEC fraud to identify phishing links, domain and email address mismatches, and other red flags, and to help people recognize when it occurs. There is a need. Additional cybersecurity awareness training can help employees understand the dangers of oversharing on social media platforms and apps that scammers use to find and investigate their targets.
HC3 also empowers administrators by requiring everyone to use multi-factor authentication, challenging new or risky access with authentication, and forcing password resets if information is compromised. It called for stronger security requirements across the organization. Organizations can also make email spoofing difficult by authenticating senders using Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and DMARC. Finally, you should consider switching from emailed invoices to a system specifically designed to authenticate payments.
Last June, the Federal Bureau of Investigation (FBI) and HHS issued a joint cybersecurity advisory (CSA) to share known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) related to social engineering campaigns. . The campaign focuses on healthcare organizations, public health organizations, and healthcare providers due to their large scale, reliance on technology, access to personal health information, and the significant impact of interruptions in patient care. , has identified healthcare organizations as a prime target for hackers.
