Email fraud campaigns can deliver significant financial returns to malicious actors. That's clear from the FBI's newly released "2020 Internet Crime Report," which says that Business Email Compromise (BEC) and Email Account Compromise (EAC) campaigns were the costliest scams last year. Financial losses from these schemes totaled about $1.8 billion in the U.S. alone, according to the FBI.
BEC and EAC attacks are hyper-targeted campaigns designed to steal money, data, or confidential information from businesses and individual users. These scams, which often rely heavily on social engineering, are vexing for defenders because they can be challenging to detect. If an attacker sends a well-crafted email that contains no malicious URLs or attachments, it can easily slip through defenses and into the inbox of a user who thinks it's a legitimate message from a sender they know and trust.
These scams are also challenging for security teams to identify because, increasingly, they take advantage of the complexity of an organization's supply chain. Attackers target vendors and other third parties that an organization does business with—from office supply retailers to caterers to cleaning services—with BEC and EAC campaigns. If they can compromise and impersonate these trusted vendors, there's a good chance they can compromise the businesses and users they interact with, too.
Learn about the differences between BEC and EAC attacks in this post.
Attackers becoming craftier and bolder with their tactics
In a recent Proofpoint webinar on the topic of email fraud in the supply chain, a panel of security experts reported that their businesses are seeing a wide variety of BEC and EAC attacks. Malicious actors are impersonating compromised suppliers to conduct invoice fraud, credential phishing, gift card fraud and more, they explained. And attackers are becoming only more creative and persistent in their efforts, using strategies old and new.
For example, typosquatting, or using a fraudulent email domain that's similar to an authentic one, is a common technique for tricking users into believing a malicious email is from a legitimate contact. And some attackers are also trying their hand at thread hijacking—boldly inserting themselves into a compromised user's existing email conversations so they can reach and work to exploit other victims.
So, how can you better protect your organization from BEC and EAC attacks that target your supply chain relationships? Here's are six recommendations, straight from the experts:
1. Know who your suppliers are
Understanding who your suppliers are and the domains they're using to send email to your users, and who they typically interact with at those businesses is a good starting point. It sounds simple, but if it were easy to do, it's a sure bet more organizations would do it proactively. As one expert in our webinar noted, taking inventory of your suppliers and keeping it up to date "isn't super-exciting and it's a pain." Still, it's also critical information for security teams to understand which email senders are legit—or not.
2. Consider the "spider web"
Your suppliers have suppliers … and those suppliers have suppliers. And what happens when your business acquires another business? Suddenly, your organization is connected to, or at least associated with, a whole other group of vendors, suppliers, and other relationships you may not have had before.
A security expert on our panel referred to this reality as a "giant spider web" that is always moving—and needs to be monitored constantly. So, be sure that your catalog of vendors is as detailed as necessary and get visibility into supplier risk-- find out which suppliers are posing risk to your organization.
3. Create more vendor accountability
A vendor risk management program can go a long way toward identifying risk areas and setting a foundation for vendors to be active partners in mitigating BEC and EAC threats. Setting expectations through formal onboarding and adding specific, legal-approved language in contracts about breach notifications can also help to prompt better practices and communication.
"If we all work together to harden the environment, everyone benefits," said one security expert in our recent webinar.
4. Be responsive to security-conscious users
End users need to be an active part of the line of defense against BEC and EAC attacks and should be trained appropriately. But if they're reporting suspicious emails and not getting prompt or clear feedback about whether those emails are indeed threats, they'll be less inclined to keep helping. Worse, they may start to become careless when opening or replying to email messages.
The security team should strive to create a healthy feedback loop. Help users understand how small actions, like flagging a suspicious email, can have a significant, positive impact on the whole organization. And be prompt in delivering a verdict on whether a suspicious email is, in fact, a threat. Also, let users know the security team can help them access information in an email marked as suspicious, if needed, while the message is being analyzed.
5. Rely more on automation
Most security teams are pressed for time and dealing with a lack of resources. They need to focus their attention on the most significant threats to the organization and take appropriate time for analysis when needed. By automating email analysis and response, security teams can prioritize their work while also making it easy for users to report and get notified when there's a threat.
6. Implement DMARC at your gateway
In addition to using web proxy and web filtering tools, organization should implement Domain-based Message Authentication, Reporting, and Conformance (DMARC). It has been proven by industry analysts, such as Gartner and Forrester, to be an effective way to protect against domain spoofing and prevent fraudulent use of your trusted domain. DMARC also provides domain visibility that will prevent any fraudulent or brand-damaging emails from being sent using your domain.
So, don't hesitate to implement DMARC and enforce it at your gateway. One of the security experts on our panel explained that while the process can be difficult at first, and it requires stakeholder buy-in to be successful, "the end state will be really good for brand protection and more."
Take a layered approach to defending against BEC and EAC
Proofpoint has an end-to-end solution that can help your business address both BEC and EAC more effectively. Attackers who develop these sophisticated campaigns use multiple tactics and channels, and you need a comprehensive solution that can address all of them. Visit our BEC and EAC Fraud Defense page to learn more.
To get more recommendations for defending against BEC and EAC campaigns targeting the supply chain and gain more insight into attack trends, attend our on-demand webinar.