Email Security Blog

BEC Response Guide— Tips for Responding to Business Email Compromise Incidents

Ronnie Tokazowski December 14, 2020 BEC, Business Email Compromise
man working on computer

This post originally appeared on Medium and is published here courtesy of Ronnie Tokazowski. For more by Ronnie, follow him on Twitter @iHeartMalware.

If you’re reading this and are in the middle of an incident, go to the first bullet now. The rest can wait.

Malware incidents suck, but if you want to know what it’s like responding to a BEC incident, triple the carnage, shake the snow globe, set it on fire and there you go, Business Email Compromise incident. While it may seem like there’s only one victim, in virtually every single incident there are multiple other parties and victims involved. Romance victims are mules, money moving from one place to another is typically laundered, and purchased merchandise or bitcoin has been re-shipped or tumbled to hide the trail.

Let’s not forget the voodoo, suicides, and murdering grandmom. I’ve sprinkled other lesser-known BEC facts for your reading entertainment. Enjoy. 🙂

My last count was 30 billion dollars lost over the last 5 years, but BEC (and related crimes) have reached the point of “the accurate total damages can no longer be articulated.” And that was like, two years ago.

I can’t stress this enough: BEC is bad news.

Timeliness is Key – Where to Report

  • If you’re in the middle of an incident, file a BEC report with IC3. This is how the FBI responds to incidents, and this is the fastest way to get things going. You can fill out the details here: IC3 Complaint Referral Form. If you’re in the middle of the incident, grab the bank accounts or check numbers ASAP and fill this out NOW. The sooner you fill it out, the higher your chances of success of getting the money returned. Like if this is you, stop reading now and go do that. The rest can wait.
  • If you’re reporting for information purposes (please please please), include as much detail as possible. What was the account the scammer requested? What was the name used for the account wire? What were the other names of companies involved? Phone numbers called, email accounts used, URL’s visited? Did they send you an invoice, and if so, do you have the original copy? You are rarely the only victim, and by reporting you can help other victims. (Like romance victims, who are unwitting money mules for years)

Reporting Accounts

Sometimes you’ll have email, social media, or web accounts that the scammer used to contact you. Here’s what to do with that information.

  • Email accounts — Report these to the service provider. They’ve gotten much better at taking this stuff out over the years, and many do use this.
  • Social media — Report romance accounts to the social media providers! Burn it all down.
  • Domains — Did a scammer create a look-alike domain of your company? In all honesty, your best bet is to do a search on VirusTotal and have it thrown into that dataset. That gets it into the security pipeline for end users. Unfortunately the obvious answer of “report the domain to the registrar” is really not the ideal solution. I have heard horror story after horror story, including personal accounts to try and get sets of domains removed that are actively being used for fraud.

Seriously, don’t waste your time or energy with the registrar. I hate to be this harsh about it, but it’s not worth the high blood pressure. (Registrars if you’re reading this, do better. We’re reporting live attacks to prevent more victims and you aren’t doing jack to stop it. Try harder.)

ATO / Account Takeover

Many BEC incidents include a compromised account. If this is you, here’s what to do.

  • Assume inbox = fully compromised. By this I mean “the scammers more than likely have a copy of every email in the account.” Actors use this information to hijack threads with other customers and clients, where they inject modified purchase orders or invoices, pretending to be you.
  • BEFORE doing a password reset, check for email forward rules. Once a scammer gains access to an email account, they will often create an email forward rule on the account and walk away. Similar to above, these emails get used for hijacking email threads. These threads are from your inbox, making these BEC’s especially heinous, as timing and topic are relative to the email thread. (Two focal points we train users to watch out for)
  • SOC’s: Like seriously, if you aren’t alerting on email forward rules created by users (within reason, may need tuning for larger orgs) you really need to do that yesterday. That’s your one-shot red notice “things are about to burn” alert that’s going to save your butt from trying to explain that Jim isn’t the real Jim who was actually fake Jim with a forged email account looking like your company that told Eric at your customer site to pay an invoice for $250,000. (Ronnie’s Trivia: count the victims)
  • Now that you verified that the forward rule (!!!!!!!) has been cleared and removed, now it’s time to reset the password. While you’re abusing your user with the trauma of a password reset, crank the hurt up with enabling 2FA on their account. And you may just want to rip that Band-Aid off and enable that for all of your users, because pic related.

Image for post

  • And SMS 2FA is better than nothing. There, I said it. (Ronnie’s thought: SIM swapping? Isn’t that more along the lines of a company not being able to protect their customers data? Why should end users be forced to suffer when the problem is upstream?)
  • SOC’s: And if you have 2FA enabled, don’t forget the rule for valid password / invalid PIN. Your welcome. ❤

If you have a compromised account, let the respective parties know. It’s 2020, attacks happen. Mitigate the risk now to lessen the damage tomorrow.

Processes, Processes, and Processes

Now that we made it past the “my pants are on fire” section, are there areas that can be strengthened without spending a dollar? You bet your butt there is!

  • What is your process for wiring money? Do you need phone verification, board approval, or meeting in-person? What are the limits for $50,000, $100,000, or $250,000 wires? How about a payroll change? A simple email with a W2 or picture of an ID isn’t enough, and true identity should be verified to prevent fraud. A simple phone call sounds pretty cheap when it could have prevented that $150,000 wire. (Yes these numbers are random, yes they are pretty accurate to what real numbers look like.)
  • Just because you see a phone number in an email doesn’t mean that’s the real phone number. Check your Rolodex for the previous phone numbers, because there are services out there that can create phone numbers in the same area code. (hint hint hint……………………………)
  • Speaking of phone numbers, for the love of all that’s holy, STOP sending gift cards. I don’t care if your boss forgot his niece’s birthday, if he needs you to run a quick errand, run a task, or surprise the employees with holiday gift cards (all attacks I’ve seen), don’t do it!!!!! Not only does that break typically reimbursement procedures (personal gift card reimbursed on company card?), but your pretty much out of luck once they’re in the hands of the scammers.
  • Where do the gift cards go when they fly? They don’t go to Heaven where the angels fly. They go to a land where bitcoins are exchanged, and more specifically gift card to bitcoin exchanges. There’s plenty of ’em out there and the scammers like ’em.
  • Establish “known good” bank accounts. If you know that you always use bank JKL at account 567 and AAA bank with account 000 out of nowhere pops up, something is phishy. (Ba dum TSH)

Closing

There’s a dozen other things that could be implemented, however this was purely meant to be a quick-and-dirty guide on how to handle these. I have strangely “inherited” this problem, which is great because I have a habit of obsessing over things until they’re fixed. I think I heard someone complaining about ransomware, but I couldn’t hear them over the sound of the romance victim who was committed because she tried to commit suicide or the other victim who received $15,000 cash in a FedEx box from another state from another romance victim who cashed a check from a victim company, but who initially sent the check to a completely different work from home mule? (Ronnie’s Trivia: count the victims)

BEC is an absolute dumpster fire. But not just one dumpster fire, but more like 6 dumpster fires. Then take those dumpster fires and throw ninjas on top. Then add photoshopped raptors with bombs and a little more fire and have people throw gasoline on top of it…that’s BEC.

And shout out to Jim Sykora (not the Jim in the story, another Jim) for being like “Hey Ronnie, got any BEC playbooks?”

 

Agari Blog Image

June 8, 2021 Crane Hassold

Inside a Compromised Account: How Cybercriminals Use Credential Phishing to Further BEC Scams

Why would a cybercriminal spend time developing malware when he can simply trick unsuspecting users…

Agari Blog Image

April 7, 2021 Ronnie Tokazowski

Big Email Concern: IC3 Report Confirms that BEC (Unsurprisingly) Remains a Problem

When it comes to reports from the security industry, one of our yearly favorites is…

Banner: New BEC Attack 7x more costly

March 3, 2021 Crane Hassold

Agari Report: New BEC Scam 7X More Costly Than Average, Bigger Phish Start Angling In

Sophisticated new threat actors, evolving phishing tactics, and a $800,000 business email compromise (BEC) scam…

Agari Blog Image

February 11, 2021 Crane Hassold

Cosmic Lynx Returns in 2021 with Updated Tricks

In July 2020, we published a report on a Russian-based BEC group we called Cosmic…

woman working on computer

December 1, 2020 Ronnie Tokazowski

BEC Cash-out Methods: Email Fraudsters Experimenting With Alternative Approaches

Business email compromise (BEC) actors are exploring alternative cash-out methods for spiriting away the profits…

mobile image