The Threat of Email Compromise

While ransomware attacks grab most of the headlines – for instance, the Colonial Pipeline in Spring 2021 – business email compromise/email account compromise (BEC/EAC) was the top crime in terms of direct loss reported to the FBI.

Business email compromise attacks have evolved over the decade, and are now also referred to as email account compromise, acknowledging that personal email accounts are also targets. According to the FBI’s Internet Crime Complaint Center’s Internet Crime Report for 2020, more than $1.8 billion was lost in 2020 to BEC/EAC attacks. That is more than 50 times the money lost in direct payments to ransomware attacks. BEC/EAC attacks are also much more common, with nearly eight times as many complaints to the FBI compared to ransomware: 19,369 email complaints, compared to 2,474 ransomware complaints in 2020.

Ransomware is still a serious threat, including the threat of business interruption, but you are more likely to be targeted in a BEC/EAC attack than a ransomware attack. A BEC/EAC attack in 2021 usually starts with one of the following:

• A successful phishing attack against an individual. A fraudulent email is sent to an individual, usually as a part of a large campaign, and that email tricks the user into entering their credentials into a fake login form, which then passes those credentials to the attacker.
• A successful social engineering attack. Social engineering attacks are most often carried out over the phone, but can also be accomplished via email or instant messaging, or even in person. The attacker will contact the victim and convince them to provide information or inappropriate access to the attacker. In a BEC/EAC attack, the victim’s email login credentials are most valuable.
• A successful computer intrusion. Computer intrusion in this context is a catch-all for malware and active intrusion of computer systems, resulting in credential compromise.

After gaining access to the victim’s email account, the attacker may lie in wait until a valuable transaction is sent over email. If the account compromised isn’t a valuable enough target, the attacker may use the victim’s account to launch more attacks against the victim’s contacts.

BEC/EAC losses impact organizations in all industries; the common thread through business conducted via wire transfer. The attacker waits until an email with wire instructions is received or is expected, and replaces legitimate instructions with fraudulent ones. Once the wire is sent to the wrong bank, the funds are transferred quickly to other banks, often overseas. In many of these cases, the victim did not recognize the wire was missing for a month or longer – well past the window to recover those funds.

Protecting Yourself and Your Bank

The good news is that you can protect yourself and your organization from these attacks, but it requires vigilance and some inconvenience. Below is a summary of steps to protect personal and company email accounts:

• Train employees to recognize phishing emails. Common themes in phishing emails are poor grammar and spelling, a sense of urgency, or a link to log in and fix a problem or verify information.
• Do not click links in emails, instant messages or text messages.
• Enable multi-factor authentication on all accounts that support it. Enabling multi-factor authentication means that even if your credentials are compromised, an attacker will not be able to access your account.
• Insist that payments be sent by physical check, not a wire transfer, whenever possible.
• If a wire must be sent, call a known number on file to verify the wiring instructions when sending a wire to a company for the first time and any time the wire instructions change. If you don’t know the sender’s phone number, call the company’s main number. Do not rely on information in the email, including the phone number. If you do call that number, you may be calling the attacker.
• Regularly update your computer, cell phone and any other device you use to access email with all security patches.