In the first part of this story, we looked at some of the issues surrounding Business Email Compromise (BEC) attacks, often called CEO Fraud. Here we will look at more hands-on actions CISOs can take to protect their data and defend against these attacks.
Today’s attacks feature the same hallmarks as previous incidents, with the attackers conducting a wide range of basic research on the CEO using internet searches, often revealing travel plans, hobbies, favorite sports teams and other information the attackers use to try to bluff company employees and get them to think they are the person they are pretending to be. While companies strive to provide transparency about their organizations, attackers use this data to build more effective attacks.
Elevated privileges
While employee training for scenarios like these are critical, security teams need to remember to look at the company’s email traffic carefully so they can flag or spot any suspicious behaviors, particularly involving workers who are in the accounting, accounts receivable or other sensitive departments, he says. Instead of simply accepting emails from all domains, consider blocking suspicious ones from places where your company does not do business, Christiansen says.
“[For] people who have higher levels of financial access to your systems, you want to look and monitor those people pretty closely, people with elevated levels of privilege,” says Christiansen. “Often there can be coercion by attackers, or [attackers] can buy them drinks at a bar and ask about the company and its executives.”
Attempts to compromise corporate employees do not only focus on high-level executives with access to company secrets; systems administrators with privileged access to servers are often targets because their login credentials provide attackers with access to move through systems laterally without raising red flags. A compromised email administrator’s credentials, for example, could provide access to legitimate email accounts, making CEO fraud appear that much more legitimate.
Of course, companies must ensure that other basic but often neglected procedures are conducted, such as patching all desktop and laptop computer systems and related business infrastructure to protect them from succumbing to a wide range of security vulnerabilities. While it might seem easy to point to patching as a best practice, network administrators will tell you that before patches are moved to production systems, the IT team must ensure that the patch will not break some other system software. That time between delivery of the patch and how long it takes to verify it won’t break other applications often can be the difference between identifying a vulnerability and falling victim to it.
Another recommendation is never to call the phone number provided with a suspicious message. If employees want to reach the person requesting an unusual wire transfer or other action, they only should call the individual’s authenticated phone numbers to confirm the email’s request. Otherwise, they might end up calling a phone number being used by the cyberthieves themselves as part of the scam.
The holistic approach
Forrester’s Blankenship recommends using a holistic approach for battling CEO fraud email attacks, including knowing and recognizing the threats, stopping or flagging suspicious messages and effectively educating employees on how to circumvent such attacks.
Email filtering is often not effective enough on its own because the attackers usually mask their exploits and make them quite difficult to detect and filter out, says Blankenship.
What email filtering can do, however, is detect known spam and commodity phishing emails that have been reported or detected by others and stop them cold, he says. “What’s missing is the ability to detect suspicious emails or make targets aware that an email or other communication may be fraudulent. Some vendors are using machine learning and artificial intelligence to detect these, but the technology isn’t perfect yet and most businesses are not employing it.”
Ultimately, because the known detection methods today are not foolproof, it is up to the email’s recipient to decide if a suspicious email is fraudulent or not, he adds. That can create its own conundrum: “Smart attackers will research their targets ahead of time and will work to gain trust before actually asking the target user to do something.”
To fight clever attackers, recipients must verify that incoming emails are real before taking any actions requested by the message, which is not easy to do during a busy and stressful work day, says Blankenship. “It’s up to security professionals to make sure their users and executives have the tools they need to defend themselves. Leaving it solely up to the user is doomed to fail.”
Depending on the size of the company and its internal IT organization, these needs can produce their own challenges because threat controls and training might not be available, he says. “Unfortunately, in a lot of these cases, these are typically mid-market or SMB companies, so they don’t have a big IT team fighting for them.”
In such cases, companies can subscribe to an ongoing security service for help, especially if they can provide real-time threat feedback, he notes. Another effective practice is to conduct regular procedural drills for employees so they can learn how to respond properly and securely to incoming “bait” emails that purport to be from the CEO or other executives.
One complication today is that since business email compromise attacks have persisted for years, plenty of data from past attacks is out on the internet and is available to be reused by today’s bad actors, says Blankenship. “All that data is floating around out there, so names and data are available. It becomes that much easier for a criminal to use that for their own means.”
Protecting company information
In the end, everything companies do to fight CEO fraud/BEC attacks is about protecting their businesses, employees and their operations, says James Pooley, a trial lawyer in Menlo Park, Calif., who specializes in trade secret and patent litigation.
Training employees to react to probing emails that come in with suspicious messages is one of the things he speaks about often with executives inside companies as they work to safeguard their IT systems.
One tactic he recommends is to set up carefully crafted protocols ahead of time so that incoming suspicious emails can be halted early in the process, says Poole. The protocols should include specific rules about any interactions that might come directly from the company’s CEO and other high-ranking executives, such as if an executive asks for money to be sent using specific instructions that might deviate from the norm.
Underscoring the need for code words to authenticate an instruction, Pools says the protocols might include “you will only get messages from me on these kinds of issues with this specific password or marker that can’t come in from the outside.”
Some new data loss prevention tools are using artificial intelligence (AI) to help weed out these kinds of attacks from cybercriminals, he added. “They are using AI that analyzes the nature of the communications themselves in ways that are far more sophisticated than just looking for words that match filtering lists. AI is really the way forward.”
So, will future CEO fraud email attacks ever be completely blocked? Not likely, says Poole. “If an outcome is affected by human behavior, you can’t 100 percent prevent errors by people. All you can do is try to react.”
The email fraud attacks “play on the fact that we are very busy and we don’t stop to question something that on its face has markers of plausibility,” says Poole. “Life is very fast these days, including inside the corporate environment, and people need to get things done now.”