It’s a little after 10pm on a Friday evening and I’ve just got off the phone with “Tony” (not his real name). Tony had come through to me because I’m the ‘on call’ guy this week. Tony sounded fed up, sad, resigned. He explained to me that a client of his was refusing to pay for the work his company had done. And it was a notable amount: a little over £250,000. I didn’t ask, but I got the impression this was a big deal – not the sort of amount his company could just swallow. His insurance company had put him in touch with me because of the unusual excuse the company had given. If you work in Cyber Security you might be able to guess it already.
The client said they’d already paid. They said that during the email conversation about raising the invoice and getting it paid, Tony’s company had emailed the client saying they had new bank account details and to please pay this new account. And so they did. Or at least that’s what they claim – Tony didn’t believe them. But I did.
In my opinion, and in my experience, it’s almost certainly true.
In our world, we refer to it as a ‘Business Email Compromise’. In short, attackers gain access to webmail either via social engineering (e.g. sending a phishing email to steal credentials) or maybe via password reuse (an employee uses the same password for their webmail as they do for some other service that’s been compromised and the credentials leaked). Once they have access, they watch the email conversations, maybe setting up forwarding rules or auto-delete rules, and wait for the right moment to send an email asking for the payment to be made to a different account.
And it works. Of course it works. It’s in the flow of a conversation about making payments. It isn’t a fake email, it really comes from the correct email account. It has the correct email signature. The attackers have copied-and-pasted your wordings from other emails to make it sound like you.
And just like that, the criminals have stolen quarter-of-a-million pounds. And they didn’t even need to leave the house.
I listened to Tony for a bit and eventually I told him not to be so quick to judge his client. I told him that this kind of attack was really common, I told him that it had a name, I told him how it worked, and I told him that I’d dealt with three of them this week. And that was true. This week alone I’d had three conversations with organisations who had either been the victim of, or very nearly been the victim of, a Business Email Compromise.
It's easy for us who work in Cyber Security to forget about the people like Tony. We have minds that want to see the logs, to see the email headers, to check the forwarding rules. We can easily forget about Tony. Tony has employees. Employees that have bills to pay. Tony and his company are victims of a crime. And it’s awful.
Tony told me that the bank were trying to reverse the payment, but he didn’t sound hopeful. He described the changes his IT provider had now made to make their email more secure, and they sounded good, but this is the epitome of closing the stable door after the horse has bolted.
But if your horse hasn’t yet bolted, the following are some things that will help defend against such an effective and destructive cyber-attack:
- Enable MFA on webmail. This will make a huge difference. These attacks work because the attacker has access to email accounts from outside your organisation. Enabling Multi-Factor Authentication (MFA) means when your employees are logging in via the webapp, they have to use a second factor such as a code generated by an app on their mobile device. This might sound cumbersome, but it rarely is. Perhaps it’s a huge undertaking or too expensive for all your employees, so maybe just the VIPs?
- Prohibit access to email from outside the corporate network. This might seem radical, but do your employees need to be able to get to their email from outside the corporate network? Of course we live in a world where people need access to their email 24/7, but consider requiring a VPN or a similarly isolated app on a mobile device.
- Review manual payment approval processes. These attacks work because the team making the payments act on the email instruction. This is completely understandable, but perhaps if there’s a significant change, such as the account to which the payment’s being made, it should be confirmed by a phone call.
- Remind Users, Especially the Finance Team. This is two-fold. Users need to be reminded about phishing emails trying to steal their credentials and the Finance team need to be especially aware about changes to normal practices. There should be a culture where questioning such things is encouraged.
- Check the Logs. If the IT Security team detect logins to webmail from unusual countries, they should be raised as high priority incidents. They might just catch it in time.
When dealing with those users who inevitably complain about having to use the MFA app, or about having to VPN in, just think about Tony.