Insight

The business email compromise

With increased sanctions in place, a return to an old classic

What is a business email compromise (BEC)?

A business email compromise is an e-mail-based cyber-crime in which criminals target and attempt to defraud the business, generally through wire transfer or wire diversion fraud. Commonly, attackers can use phishing techniques utilizing stolen credentials or attempt to divert or initiate a fraudulent wire transfer. In many cases, these emails will appear to come from a known-good or trusted source.

As an example, your third-party vendor ACME Co. has a domain of @acmeco.com and you receive an email from @acneo.com OR @acrneo.com. They may even utilize similar looking email signatures to make these emails look more legitimate. These are attempts by the criminals to spoof a trusted source to defraud a business by giving their emails an appearance of legitimacy.

Why is BEC likely to increase?

With the increased focus around governments to monitor or block payments made with cryptocurrency as payment for ransomware cases, in addition to the volatile nature of the cryptocurrency market criminal groups could turn to BEC as more profitable cybercrime. BEC attacks commonly include other crimes like invoice fraud or other attempts to get businesses to wire money to the criminals.

What can I do to be better protected?

This can depend on your IT environment, however, a “defense in depth” approach may provide a good chance of defeating a threat actor; even if they manage to breach your systems or begin to human engineer your employees. The few steps below can help you better protect your business from being defrauded.

General leading practices

  1. Enable multi-factor authentication (MFA) throughout the environment including VPN, internet-facing applications like Exchange, and/or cloud-based email providers (e.g., Microsoft 365).
  2. Educate your employees. Train them to spot suspicious emails that contain poor grammar/broken English, contain a strong sense of urgency to pay, and/or have updated banking or contact information.
  3. Utilize a call-back verification process when setting up new payment instructions for making changes to existing payment instructions.
    • Implement the concepts of dual control & segregation of duties within departments/sections handling financial transfers.
  4. Implement a simple, streamlined process for employees to report suspicious emails (e.g., Report email button).
  5. Create a BEC response playbook.
  6. Perform brand monitoring and look for newly registered domains that are spoofing your business, brand likeness, and/or domain(s).
  7. Follow industry leading practices regarding the emailing & storage of sensitive information (e.g., HIPPA, PII, PCI).
  8. Retainer/on-call agreements with outside counsel and/or an incident response firm.
  9. Review cyber insurance policy and determine if it covers financial losses due to cyber fraud or human engineering.

Microsoft 365 leading practices

  1. Enable conditional access to help ensure specific conditions are met before granting access to a resource1.
  2. Disable legacy authentication to reduce the attack surface that BEC criminals commonly use2.
    *NOTE: Legacy authentication does not support MFA.
  3. Microsoft Secure Score is a tool within O365 to provide customized recommendations to help businesses harden their O365 environment.

Blog authored by: Dennis Labossiere and Corey Berman

Disclaimer: The KPMG name and logo are trademarks used under license by the independent member firms of the KPMG global organization.

Footnotes

  1. Microsoft, “What is Conditional Access?”, (8/15/2022).
  2. Microsoft, “Blocking legacy authentication”, (8/15/2022).

Contact us

Ed Goings

Ed Goings

Principal, Cyber Security, KPMG US

+1 312-665-2551
David Nides

David Nides

Principal, Cyber Security Services, KPMG US

+1 312-665-3760
James Arnold

James Arnold

Principal, Cyber Security, KPMG US

+1 314-444-1427