COVID-19 has turbocharged the transition to remote work and digitized business processes like no other time in history. Unfortunately, the rush to adapt to new realities of social distancing in the workplace has led to rushed changes. Companies have adopted policies and procedures that don’t necessarily have security as a big priority.
We’ve even seen the federal government suspend HIPAA violations in an attempt to ease communication between patients and doctors. Usage of Zoom for meetings has exploded, without businesses fully understanding the security implications. Zoom calls all over the world are being ‘crashed’ by people who obtain or guess the meeting id. While mostly an annoyance, it can be very damaging if sensitive information or patient health information is being discussed.
Maybe the most dangerous emerging threat is from a technology we’ve ALL been using for decades….email. In the wake of shelter-in-place orders and non-essential offices closed, email is now taking on new roles. Forms we used to walk over to HR or CFOs for approval are now being sent via email from the employees couch. Receive an email from your supervisor or the CEO that has a ‘phishy’ smell? Instead of being able to confirm in person, you may just let it by since you don’t want to bother with a phone call or text.
These types of attacks where fraudulent emails persuade employees to release funds or change wire/bank instructions are known as Business Email Compromise (BEC). Over the past years we’ve seen a massive increase in the frequency and sophistication of BEC attacks. An AFP report has found that even with the increased training to detect BEC, 75% of companies have still reported experiencing a BEC attack.
3 Reasons emails are more vulnerable now than ever to Business Email Compromise (BEC):
- We’re now leveraging email to take the place for many things done face-to-face: Previous processes like loan funding, signing off on purchase orders, vendor payments, etc. are being done 100% electronically. The traditional safeguards of face-to-face verification has been supplanted by email threads and scanned forms. If an organization doesn’t have the proper protections in place to combat spoofing, phishing, and BEC, attackers may be able to easily forge an email conversation leading to fraudulent payment.
- COVID-19 has changed business processes and modes of communication: Everyone has been thrown off balance by the pandemic. Regular payment methods may have changed to try and limit physical contact. Attackers are now using this as an excuse. They are posing as a legitimate vendor of a business, stating that they need to update their payment method from paper check to wire transfer. Businesses may be employing signing services like DocuSign or Adobe Sign for the first time. A growing threat is attackers sending emails appearing to be generated from a signing service. The email might have a fillable PDF form requesting certain personal or financial information from the target. This type of attack is especially difficult for individuals to detect; the pandemic presents a believable reason that their contacts may now suddenly be using e-signing.
- Many small businesses are dealing with funding/loans for the first time: The US government has quickly implemented many new programs such as the Paycheck Protection Program (PPP) and Economic Injury Disaster Loan (EIDL), and personal ‘stimulus’ checks. The processes involved to apply for and receive assistance from these programs are new to everyone. Even the SBA and the myriad banks and credit unions providing these new loans don’t have all the answers. Attackers are seeing the confusion and mis-information a as a prime opportunity for phishing and BEC attacks. Many small business owners have little information on how these programs are administered, who should be sending information regarding the programs, etc. For example, an phishing email requesting that the business confirm their bank information for loan funding may easily pass muster. They may not be aware of the dangers of sending bank account information via email.
So what can businesses do to protect against BEC?
Defending against traditional phishing, virus, or ransomware attacks revolves around defensive tactics: spam/virus filters and properly educating your employees. However, protecting your businesses from BEC requires a different, but complementary set of proactive tools.
- SPF and DKIM: These two tools should both be used on all outbound email to help receiving email servers trash attempts at phishing or message modifications. An SPF record indicates what servers/IP addresses are allowed to send emails for your domain. Make sure to use a “-all” at the end of your SPF record to instruct email gateways to trash/reject any emails coming from non-listed sources. All your outgoing emails should also be DKIM signed. A DKIM signature will protect the contents of the message header and body from any modification, but also serve as an authentication check. A valid DKIM signature guarantees the email was generated/signed from a server under your control. Making sure your emails pass SPF and/or have a DKIM signature will give mail receivers confidence that the email is legitimate. This will also ensure your emails don’t go to the spam/junk folder, even if the content seems like spam.
- DMARC: If you are sending ANY type of financial data (invoices, purchase orders, etc.), this is an absolute must. A DMARC policy allows you to instruct receiving email servers how to treat incoming emails from your domain depending on SPF/DKIM validation results. With this tool, you can specify a policy of ‘reject’ if any email fails SPF or DKIM validation. This gives you (the sender) control over how receiving servers accept/reject email from your domain.
- ‘Look-alike’ domain awareness: With SPF, DKIM, and DMARC, you can stop attackers from sending spoofed emails from your domain dead in its tracks. However, an increasingly common tactic for sophisticated attackers is to register and use similar looking domains to spoof a legitimate business. This could be as easy as using ‘companyA.us’ instead of ‘companyA.com’. Or, it could be using subtle character changes like ‘c0mpanyA.com’ (using a zero instead of an ‘o’). Businesses must be vigilant in protecting their namespace and brand by keeping a lookout for these types of domains. They can either proactively register them, or monitor them through various services like KnowBe4. Certain legal actions can be taken if found, especially if the company brand is a registered trademark.
- S/MIME Digital Signatures: DMARC can go a long way to protect the reputation of your domain and prevent spoofed email from making it to your recipients. However, it can’t do anything to fight against emails sent from look-alike domains. These sophisticated attacks often have proper SPF and DKIM records set up, and the email content may look surprisingly convincing. However, digitally signing your outbound emails with an S/MIME certificate issued by a trusted CA is a bullet-proof way of showing the email is authentic. It also proves the integrity of the email content (both the body and the attachments). However, you must still educate your contacts to actively look for the digital signature marking, and to verify the signature is from a certificate issued to your organization. This is identical to what everyone should do when logging in to online banking: (1) check that the domain looks correct, (2) looks for the ‘padlock’ icon to show it’s secured, and (3) check to make sure the certificate is trusted and issued to the proper organization.
As we detailed in our previous blog post, scammers are coming out of the wood-works to take advantage of this pandemic. But the threat posed by BEC is especially damaging both to a businesses reputation and their bottom line. Fortunately there are many tools that can be used to stop the majority of these attacks before they ever make it to your contacts inboxes. Setting up SPF, DKIM and corresponding DMARC records for all your domains is free and once set up, pretty easy to maintain. This is your first and best line of defense against BEC. But if your organization has higher exposure to BEC and often deals in high-value money transfers, attackers can find ways around these tools. By sending emails from look-alike domains, they can launch complex, targeted impersonation attacks. In a time where almost everyone is working remotely, these attacks are even more likely to succeed.
Using S/MIME digital signatures on your organization’s outbound mail is the next step to preserve the reputation of your organization. Large organizations in financial, legal, and supply-chain/logistics are increasing adopting digital signatures, sometimes as a precondition to doing business with a partner. Using a secure email gateway like GlobalCerts’ SMG to manage certificates and automatically apply digital signatures is an increasingly popular strategy.
Digital signatures give your recipients ultimate confidence in the integrity of the content you’re sending. They leave no doubt of the origin or authenticity of the email. Once properly instructed to look for a valid digital signature on your emails, business partners and end customers can be assured they are not falling for the latest in a long line of BEC attacks during the corona virus pandemic.
Sources and More Information