FBI Alerts to Rise in BEC Cyberattacks on US Orgs, Impacting Resources
A recent private sector alert from the FBI warns that hackers have been increasingly using business email compromise (BEC) attacks that can hinder operations and strain resources.
Date:March 22, 2021
The FBI recently warned private sector entities that cybercriminals are increasingly leveraging business email compromise attacks against federal government agencies, which has hindered operational capabilities and further strained resources.
The alert was coordinated with the Department of Homeland Security Cybersecurity and Infrastructure Security Agency. Private sector entities have been encouraged to review BEC insights to bolster privacy and security mechanisms to avoid falling victim to these evasive tactics.
BEC is a constantly evolving and increasingly troublesome threat, as hackers become more sophisticated and adapt to current events.
- FBI: $4.2B Lost to Cybercrime in 2020, Led By Phishing, BEC, Extortion
- Report: Rise in COVID-19 Vaccine Social Engineering, BEC, Phishing
- FBI: Business Email Compromise Attacks Abuse Email Auto-Forwarding
The attacks typically target entities using spoofed emails, phishing attacks, compromised vendor accounts, and credential harvesting in an effort to alter payment instructions for services rendered by vendors or to hijack payroll direct deposit information.
Successful exploits not only lead to lost funds, it can also impact operational capabilities, damage business reputations, and lead to the loss of sensitive information, like employment data, banking details, and personally identifiable information.
The latest FBI IC3 Internet Crime Report showed BEC attacks are the costliest cybercrime under the current threat landscape. In 2020 alone, 19,369 BEC complaints were received by the FBI and led to about $1.8 billion in damages.
The FBI has observed these attackers leveraging open source information on victims, then pairing the gathered insights with malicious tools to masquerade as trusted partners and vendors to further the impact.
Hackers have also targeted government agencies that operate with assumed inadequate cybersecurity protocols, including a lack of personnel training. The aim is to compromise victim entities with minimal effort.
For example, threat actors often utilize phishing kits that bundle tools and resources within a user-friendly software, which are increasingly available for sale on the dark web and empower “even inexperienced cybercriminals with minimal technical skills to conduct more sophisticated attacks.”
“Rapid adoption of ad-hoc teleworking environments driven by the COVID-19 pandemic coupled with the ease of BEC operability against… government entities and vendors have exacerbated cybersecurity challenges,” according to the alert. “This surge in teleworking has increased the use of potentially vulnerable services, such as Virtual Private Networks and other remote support tools.
Notably, DHS CISA conducted 25 phishing campaign assessments in 2020 against government entities and found that of the more than 40,000 test emails sent during the assessment period—users made roughly 5,000 unique clicks of malicious links, or a 13.6 percent click rate.
The data reflects the need for entities to employ improved defense in depth migitations, coupled with enhanced phishing awareness training and email security efforts.
The FBI provided a list of mitigation measures for all sectors to employ, centered around bolstering employee education, conducting internal phishing campaigns to raise awareness, and encouraging a “skeptical cyber posture” within the workforce.
IT administrators were also urged to prohibit the automatic forwarding of email to external addresses and to frequently monitor the enterprise email Exchange server for configuration or custom rule modifications.
Further, the FBI recommended the use of an email banner for messages that come from outside the organizations and to enable alerts for any suspicious activity. Email filtering services should be employed or enabled, while administrators must disable hyperlinks in received emails and legacy account authentication.
“Consider if legacy email protocols, such as POP, IMAP, and SMTP1, that can be used to circumvent multi-factor authentication, are required,” according to the alert. “Ensure changes to mailbox login settings are logged and retained for at least 90 days.”
“Configure Sender Policy Framework, DomainKeys Identified Mail, and Domain-based Message Authentication Reporting and Conformance to prevent spoofing and validate email,” it added. “Stay current on available patches for remote access features as well as VPN hardware and software.”
In healthcare, email phishing is now the prime entry point for ransomware attacks, which futher highlights the potential impact of the increased number of BEC attacks. Europol previously provided in-depth guidance on the best ways to defend against highly tailored spear-phishing attacks.
Earlier reports also support that employee security training and education against this critical threat can drastically reduce the risk to the healthcare enterprise.