Learnings from business email compromise and payment scams
Over the last few months, I've helped with several incident response cases involving impersonation fraud and business email compromise. The businesses involved were different in size and industry, but they all had one thing in common: handling and processing reasonable amounts of money.
This makes them attractive targets for cybercriminals who engage in social engineering to steal credentials (usernames and passwords) to gain access. They typically watch and wait and then pivot into the email chain to divert funds. In all of the cases I was involved with, fortunately, the clients' account team stopped the payments due to having a thorough manual check to verify bank details. But often, this is not the case, and when the victim does find out, it is too late to recover funds. I've included some tips on the lessons learned from these incidents below.
Here are some general tips of what you should be doing to protect your organisation from business email compromise fraud and other attacks.
Technology Tips
If you are still using a single factor (just a username and password) to access any of your online systems you will be compromised! So enable MFA!
Use a good password manager for all of your passwords. 1Password or Bitwarden are good ones to choose. These are good for both home use and business.
Do not store passwords in plain text. If you need to share passwords with external parties then use a secure system to do so and make sure the data is encrypted.
Trust your instinct, AI and the grammar of attackers is getting better so if it is to good to be true, then it probably is! So don’t click.
Turn on cloud audit data. These logs are so powerful in acting as an early warning system for your organisation about suspicious activity. They are also essential for incident response to determine what happened. In all of the cases I was working recently M365 Audit logs were not configured correctly and not collecting data beyond 30 days.
As a minimum you should have 90 days of log data and ideally 12 months.
✅ Once hackers gain control of mail boxes they typically divert important emails to obscure folders and mark them as read so the victim can't see them. They then impersonate the user later to carry out their fraud. So regularly check for any changes to your email forwarding rules or mail box rules. If anything looks out of place or doesn't seem right contact your IT department or security team to help.
Payment Process Tips
✅ Never accept changes to bank account details however urgent they sound via email, post, phone call or even over a web conference call.
✅ Always validate changes directly with the supplier using the contact details you have on file and never use the ones supplied in an email.
✅ Where large transactions are involved triple check all details and ideally have at least two people involved in the validation and approval process.
✅ Depending of the volume of payments you make, a good idea before making payments, especially to a new supplier is to call them and validate their details.
Education
✅ Educate your employees on the latest scams and business email compromise threats.