Over the last two months, there have been more people working remotely than ever before, and with more being done outside the branch, financial institutions cannot rely on their usual firewall and anti-malware solutions to protect their staff. Today, the single most common attack used to target remote users is what is known as “business email compromise” (BEC).
Safe Systems hosted a live webinar earlier this month discussing how BEC works; the main techniques used in these types of attacks; and the cost-effective solutions needed to mitigate them. In case you missed it, here are a few key points from the webinar:
What is business email compromise and how does it work?
Business email compromise is a security exploit where an attacker targets an employee who has access to company funds or other non-public information and convinces the victim to transfer money into a bank account controlled by the attacker.
These attacks have two main categories:
- Phishing emails – this is just a spoofed email that seemingly comes from someone you trust within the organization (like the CFO or CEO) instructing an employee to wire money to a specific account.
- Account takeover – the attacker procures your real username and password and then logs into your mailbox where they are then able to send and receive emails at will from your actual account.
Using these attack methods, cybercriminals can commit many different types of fraud, including wire fraud, non-public information (NPI) theft, and spreading of malware.
There are also a number of different attack “types” that cybercriminals commonly use to take over accounts:
A single-stage attack is a social engineering email directing a user to complete a certain action. For example, an email may include a link that leads to a rogue website where the attacker is trying to capture login information. This is a fairly simple, one-step attack.
The more sophisticated variation on this type of attack is the multi-stage method. In this attack, we often see that instead of having a link in the email that goes to a suspicious website that could potentially be blocked by other security layers, attackers use a link in the email that goes to a highly trusted place like a Citrix share file or some other trusted site. If the user clicks the link, they’ve now stepped outside of any email security layers the institution might have in place. Most often these sites are SSL encrypted so this underscores the importance of having SSL inspection performed on your traffic to ensure links in emails do lead to legitimate, secure websites. The problem with this, however, is that it can be an increasingly difficult job for some financial institutions to implement and manage.
How Can Financial Institutions Defend Against These Threats?
The first line of defense against business email compromise is to stop the user from being exposed in the first place, and the single most effective measure financial institutions can implement is user training. It’s important for financial institutions to regularly conduct penetration testing and use security awareness training to educate their employees. Over the years, we’ve seen a distinct correlation between the frequency of user security awareness training and the success rate of phishing attacks. Some institutions leverage self-testing tools such as KnowBe4, but there are many other services that financial institutions can use to test their employees.
The second line of defense is to stop the user from causing damage. To mitigate the threat, financial institutions can use a variety of effective tools, including:
- Email Filtering – a tool that filters out suspicious emails to ensure no spam, malicious content, or sensitive data makes it out of the institution unauthorized.
- DNS Filtering – is the process of using the Domain Name System lookup to find the IP address of a website to block malicious websites and filter out harmful or inappropriate content.
- URL Rewrite – if an email has a link, the system rewrites the destination of the link to go to a security company first before the real session is connected.
- Multifactor Authentication – this tool requires more than one method of authentication to verify a user’s identity for a login or other transaction. The methods include something you know (pin); something you have (phone) and/or something you are (biometrics).
These are just a few of the tools that can help strengthen your institution’s security posture and ensure users do not fall victim to malicious attacks. However, if they do, it is critical to have a plan to respond.
The last line of defense is to stop the expansion of damages if a threat has occurred. In this case, financial institutions must conduct an investigation into the cyberattack and have thorough logs of their mail system to understand exactly what occurred; how far it has spread; and determine the next steps. Community banks and credit unions should have an incident response plan in place and perform regular tabletop testing to confirm the plan works and will be useful when a real attack occurs.
To learn more ways to protect your institution from business email compromise, watch our recorded webinar, “Business Email Compromise – Preventing the Biggest Risk from Remote Users.”