Understanding Business Email Compromise Attacks: The Latest Threat To Procurement
What is Business Email Compromise?
Designed to evade traditional cyber security processes, business email compromise (BEC) attacks are now the cybercriminals weapon of choice. In a BEC attack, hackers will infiltrate an organisation’s email network and use employees’ accounts to reroute payments, arrange fraudulent wire transfers or obtain sensitive documents to enable tax fraud via the IRS or HMRC.
A BEC attack isn’t typically a technically sophisticated crime. They often start with a phishing email that tricks a victim into clicking a malicious link in an email, or entering their login details onto a compromised website designed to look like a secure site. Attackers also try their luck identifying any users who have reused a password for a personal account at work that has been compromised in a previous data breach such as the LinkedIn attack in 2016.
Once the attacker accesses valid email login details for a target, it’s simple to create a forwarding rule in the email client that sends the attacker copies of all sent and received messages.
Then it’s just a waiting game. Cybercriminals will monitor their BEC target’s emails for weeks to understand the business processes, billing schedules and communication style of their target. The attacker then sends out strategically timed emails requesting a payment or sensitive data. Once a fraudulent payment has been sent, there is generally little chance of recovery as it often takes victims weeks or even months to detect that fraud has taken place.
Why are procurement professionals particularly vulnerable to BEC attacks?
With strong links to the finance department and higher levels of budget sign off than elsewhere in the business, procurement teams are seen as lucrative targets to business email compromise attackers. The push for streamlined purchasing processes (e.g. the use of P-cards) and the resulting reduction in human oversight in procurement over the last few years has also contributed to this problem as automated workflows enable this fraud to go undetected for significant periods of time.
The nature of BEC attacks has evolved over time as organisations become more cyber aware. When this type of fraud first emerged, attackers often posed as the CFO or CPO and used their title, email signature and company logos in emails to send out fraudulent invoices and wire transfer requests in their name. As these attacks increasingly make headlines, procurement professionals are often now sceptical to such ‘out of the blue’ requests, so cybercriminals adjusted their methods and the ‘vendor email compromise’ (VEC) variant was born.
In a VEC attack, the fraudsters send emails posing as the vendors themselves, often requesting that an outstanding invoice be paid. When the targeted procurement team receives the fraudulent email, the attacker has often intercepted enough of the business’ legitimate communications to imitate the correct business context, supplier details and invoice amount. The only indicator may be the bank account number on the invoice, which has been changed to direct the payment directly to the attacker’s account. With such a high financial return for such a low investment of technical skills, these types of cyberattacks are significantly on the rise.
How can you protect your organisation?
This type of fraud can be extremely difficult to detect. The attention to detail employed by BEC attackers means that the cybercrime red flags users are typically taught to look out for (e.g. poor grammar and spelling) typically aren’t there to indicate a risk. Some organisations are going as far as to block IP addresses from high cybercrime countries across their entire corporate network, but this is not really practical for large enterprises trading internationally.
The SME suppliers of large organisations are normally the most vulnerable targets to BEC attacks. After all, it’s easier to trick a PA or part-time employee in a small business into clicking a bad link in an email than it is to compromise the firewall and cybersecurity processes of a FTSE 100 company.
The simpler billing processes of SMEs also make it easier for attackers to pose as a small supplier. Attackers can simply generate copycat invoices using Microsoft Office templates and email them out rather than via an expensive SaaS payment portal more typical in a larger organisation.
Of course, beyond the due diligence carried out on new suppliers, it is normally far too resource-intensive to ask procurement teams to manually validate every purchase order number, website and delivery address on every inbound invoice. So how can you protect your organisation?
At Darkbeam, we’ve made things simpler. As most procurement teams don’t have control over their suppliers’ security standards (beyond a signed data protection policy or ISO certification), we’ve created an independent method to instantly visualise the digital risk of your entire supply base.
Our non-invasive Digital Risk Protection platform delivers a real-time view of your suppliers’ cyber vulnerabilities, assigning a risk score to every vendor. The highly visual dashboard flags your most vulnerable suppliers who may be targeted by BEC attackers, and even reveals which suppliers already have login credentials visible to hackers on the open internet. With Darkbeam, it’s never been easier to identify your high-risk suppliers and prompt them to close cyber security gaps before your business emails can be compromised.
Want to know more? Whether it’s investing in cyber awareness training to increase your operational resilience, or visualising the digital risk in your supply chain, Darkbeam are here to help. Contact us today to find out more.