Mul

ti A

war

d W

inni

ng

BEC (Business Email Compromise) incidents are on

the rise, costing companies more than £9.5 billion

over the last 5 years.

BEC attacks involve the use of multiple disciplines

to be effective. The BEC campaigns are usually

multi-staged as there is a degree of familiarity

required with the company policies and staff for the

attack to be carried out successfully.

While using domains that are virtually

indistinguishable from the original in the initial phishing

stage of the attack, the actual attacks are carried out

using internal mail accounts that have been

compromised, making detection of fraudulent mails

that much harder. Some of the tactics used, include

sending mails from high level staff, the attackers

inserting themselves into a legitimate mail exchange,

and the manipulation of mail filtering and rule to ensure

the mail users are only communicating with them.

ISO 9001 • ISO 14001 • ISO 22301 • ISO 27001 • OHSAS 18001

Trusted Partner of the Cyber Defence Alliance (CDA). Working collaboratively

to fight cyber threats and crime

For more information contact Brookcourt Solutions t: +44 (0) 1737 886 111 www.brookcourtsolutions.com

CFO Phishing / Fraud Attacks – BEC (Business Email Compromise)

In companies with additional steps in place for payments (documentation or approval) the attackers found the relevant paper work on the

company network and filled it out after researching previous use of that paperwork to ensure there are no suspect mistakes.

BEC (Business Email Compromise) campaigns involve the following stages;Stage 1

• Credential harvesting – Typically found in large data dumps available online

• Social Engineering

• Phishing / Targeted Phishing

Stage 2

• Endpoint / User Reconnaissance – Learning about the language, templates

and tone of messages on the network

• Learning about how the targeted user interact

Stage 3

• Manipulation of emails \ email system to send mail that appears to be from the

relevant user, in the correct format

• Registering a domain \ Domains that are similar to the company domain

Mul

ti A

war

d W

inni

ngHow can Brookcourt’s Cyber Surveillance Team help?

• Monitor for mentions of the company across criminal forums and the dark web

• Monitor for mentions of key staff members online, including criminal forums and the dark web

• Monitor domain registrations related to either the company directly, or, partners, third-parties and suppliers as well

• Provide additional information on any suspect indicators of compromise through our request for Intelligence service

• Provide security awareness videos to educate staff on the dangers of and indicators used in campaigns of this nature

• Provide machine readable intelligence to enrichment SIEM’s and Firewall’s to potentially malicious IP addresses logged on the network

ISO 9001 • ISO 14001 • ISO 22301 • ISO 27001 • OHSAS 18001

For more information contact Brookcourt Solutions t: +44 (0) 1737 886 111 www.brookcourtsolutions.com

What to watch for: C-Level and Finance Staff

• Suspicious or unexpected requests (over email or phone) from

third-parties or internal staff involving payments – If in doubt be

sure to use a number on file to contact the person in question

to verify the payment request. Never use the number provided

within the mail as this can easily be directed to the attacker

• Do not enable Macro’s on mail attachments, this is an age old

and common form of infecting an endpoint with Malware

What to watch for: Cyber Security and IT staff

• Alerts on the network involving Trojan software

• Suspicious staff logins, typically out of hours, or from a suspect

location

• Phishing mails targeting C-level staff, staff involved in the approval

of, or payment of wire transfers or invoices either internally or for

external parties

• Suspicious IP addresses showing up in monitoring software

• Suspicious connections coming from unexpected countries

or regions

Due to the nature of these threats and the sophistication of the attack, the main defence is vigilance. The threats come from known users, looking perfectly normal, adhering to the company standard format and requirements

Often the only change in the mail are the account details and numbers. Double check these against details on record to ensure they are correct. A small amount of time checking could save thousands

Resourceshttps://www.scmagazineuk.com/new-email-scam-targeting-accounts-personnel-fortune-500-companies/article/1473214https://www.telegraph.co.uk/finance/personalfinance/bank-accounts/11528119/Beware-invoice-email-scam-to-steal-bank-details.htmlhttps://teiss.co.uk/threats/bec-attacks-business-cost/https://krebsonsecurity.com/tag/bec/

C o l l a b o r a t i v e S o l u t i o n s brookcourt

Trusted Partner of the Cyber Defence Alliance (CDA). Working collaboratively

to fight cyber threats and crime