Business Email Compromise, or BEC, is a rapidly growing type of cybercrime. In 2021, the FBI received 19,954 complaints with adjusted losses of nearly $2.4 billion. BEC is a sophisticated attack where the sender’s email is either compromised or spoofed to attempt impersonation. Then an email is sent out where the unknowing sender is impersonated, and some sort of scam or money transfer is requested. The scams can range from payment requests, fake invoices, and solicitations for gift cards to direct-deposit change requests made to HR departments.  

The popularity of these BEC attacks has caused an increase in assaults on corporate email systems. For example, one of the more common attacks our IT department has witnessed over the past three months is focused on Microsoft 365 accounts. These attacks, often specifically targeting individuals at credit unions, attempt to acquire the end user’s login information by leveraging a look-alike domain (the name of a website). Look-alike domains are very similar to the victim’s domain but not quite. A cursory glance makes it seem like these domains are completely authentic and trustworthy, which is why they are often quite effective at tricking the end user into revealing their login credentials. Some examples of these types of look-a-like domains are as follows:

• Real domain: corporateone.coop
  • Fake domain: corporate0ne.coop – The ‘o’ is changed to a zero
• Real domain: ncua.gov
  • Fake: ncva.com – The “.gov” was changed to “.com” and the “u” in NCUA was changed to a “v.”

As you can see in these examples, the changes are subtle and can be difficult to spot unless you are looking closely and paying attention.  

Further, in these BEC attempts, the look-alike domain is stacked with a man-in-the-middle attack. This is where attackers will send a phishing email requesting that the employee click on a link to access an encrypted file. This link goes to a malicious site run by the attacker, such as the following:

https://login-microsoftonline[.]corporate0ne[.]coop/?

This site, a fake Microsoft365 login page, looks identical to the original; the only difference is the URL and domain at the top in the address bar of a web browser. These types of attacks have been known to leverage an advanced hacking technique called “reverse proxy.” This technique can allow the attacker to circumvent the implementation of multifactor authentication or MFA.  Once an account is compromised, the attacker can go through the user’s inbox, looking for opportunities to attack other companies with any of the above-mentioned scams.

Mitigating the risks: Countermeasures your credit union can implement

Several countermeasures can be implemented to help your credit union mitigate any ongoing BEC attacks:

• Establish a Security Awareness program. Because BEC attacks are targeted at employees, implementing a good Security Awareness program can have surprisingly effective results. For example, educating employees on how phishing and BEC attacks work can assist staff in identifying these attacks, which allows attacks to be reported before the employee becomes a victim. Also, educating employees on key “red flags” to watch for or check before any action is taken can reduce the possibility of falling for these scams. Examining the “from” address, looking for grammar and spelling errors, and inspecting any links inside the email to determine their validity are all effective ways to try and identify a BEC attempt.
• Implement email authentication protocols. Another tool you can leverage is the implementation of email authentication protocols like DKIM, SPF, and DMARC. These protocols were added onto email over the years by the industry to address phishing, spam, and scam activity. DKIM is a digital signing of emails that can be checked after receipt to verify the sender. SPF is an IP-based authentication protocol used to verify the email server that is used to send emails. And finally, DMARC is a protocol used by senders to require SPF or DKIM and provides a reporting structure to allow senders to monitor activity for their email domain.   

One of the best ways to leverage these protocols is by not allowing blind whitelists to exist in  your email flow. If you need to prevent a certain email address or domain from going to end users’ spam folders, you can create a whitelist with DMARC check. This will prevent you from blindly passing phishing emails to end users’ inboxes without verifying the emails’ validity.  Additionally, most email servers allow you to enforce SPF and/or DKIM verification before emails make it to the end user’s mailbox.

For more information about email authentication protocols, check out the following resources: 

• General description about DMARC form KnowBe4(General): https://blog.knowbe4.com/what-you-need-to-know-about-dmarc
• Receiving side implementation of DMARC for Microsoft 365(technical): https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dmarc-to-validate-email?view=o365-worldwide
• Sending side implementation for DMARC reporting service: https://dmarcian.com/start-dmarc/

In addition, to learn more about common indicators of phishing/BEC attempts along with tips on how to avoid becoming a victim, read the NCUA's risk alert from earlier this year.

Today’s bad actors are tricky, and all financial institutions, regardless of size, are vulnerable. We encourage you to be extra vigilant to stay extra safe.