Business email cyber threat
Published:Sunday | December 6, 2020 | 12:13 AMNeville Graham - Business Reporter
Jamaican businesses, large and small, need to get familiar with the acronym BEC.
Business email compromise is a growing cyber menace under which attacks were growing 200 per cent up to two years ago, with 2020 levels set to surpass that, according to Citi cybercrime experts Juan Carlos Molina and Anthony Midthune.
“BEC often targets businesses sending electronic payments or unsuspecting individuals in the midst of a real estate or legal transaction. The scheme is carried out by compromising email accounts, social engineering, domain spoofing, or computer intrusion to conduct unauthorised transfers,” the Citi experts told a Jamaica Bankers Association/Jamaica Institute of Financial Services anti-fraud virtual seminar on Thursday.
BEC attacks, which have grown under the pandemic, normally take three forms: compromised client – where a legitimate client is compromised then monitored to identify their payment methods and at an opportune time, a payment request is issued from the compromised client email or domain; third-party compromise – where a vendor of the client is compromised, a false invoice is submitted to the client commonly using edited PDF files; and spoofed client – where the client is NOT compromised, but rather, the domain spoofed to look like the client’s and there are payment instructions through spoofed email.
“Europol received more than 350,000 BEC complaints in 2018, with losses exceeding US$2.7 billion,” said Molina, who is the director of the Security & Investigative Services Unit for the Citi Latam Region. He notes that the same international police agency indicates that a common infection vector is Windows Office365.
The men also cited FBI data showing that BEC accounted for nearly half of the cybercrime losses in 2019 and that the average amount per case is nearly US$75,000.
While the full scope of cybercrime is unknown in Jamaica, in terms of its dollar value and frequency, central bank data published last year indicated that cyberattacks were on the rise and that the country’s banks were losing an average of J$4 million monthly to hackers.
Midthune, Citi’s senior vice-president for global intelligence and analysis, cited the industry standard, Baker Fraud Report, that advancements in attack vectors are driven mostly by phishing, where genuine-looking business emails are sent to unsuspecting persons.
And the attacks are said to be growing more sophisticated as new actors, such as Russian cybercrime operators, enter the picture.
“The growing sophistication is also reflected in the criminal infrastructure that is leveraged to conduct this type of crime, that is, the technical set-ups and money laundering networks which are being used,” Midthune told bankers on Thursday.
Jamaica has had its share of BEC losses, according to local experts tTech Limited, whose CEO, Chris Reckord, says the attacks are mostly ‘hush-hush’ as victimised companies do not want to talk, fearing reputational damage or embarrassment.
“Most cases follow the same path. A hacker or scammer will create an account that looks legitimate, such as your manager, the CFO or the CEO, or a business partner, and then sends it to a party to fool them into revealing confidential information on their business or on a transaction,” said Reckord.
“The hacker/scammer then sends email interception with an ‘updated account number’, which will cause diversion of funds into the scammers account,” he added.
Andrew Nooks, director of efficiency and growth at local information technology firm Symptai, says that the scams are so sophisticated now that they fool even the most discerning users. Symptai is a supplier of services to several government agencies and financial institutions in Jamaica and the Caribbean.
“The ‘compromise’ can be as a result of several factors such as email relay, which is being able to use the company’s email domain to send email without prior authentication,” said Nooks.
“We have also seen where computers and other devices have been infected with sophisticated keylogging and screen -rabbing malware and from fake email addresses that are designed to look like the real email, for example, ‘ company.co’ or ‘ conpamy.com’ as opposed to ‘ company.com’,” he said.
Reckord says tTech is generally called in by companies after the damage is already done.
“Sadly, for the most, my cybersecurity response team gets called in after the crime has been committed. We have seen evidence of losses of anywhere between US$10,000 and US$150,000 per BEC,” he said.
In Jamaica, the BEC attacks mostly target real estate transactions and local vendor-foreign supplier transactions, he added.
While all the experts spoke to the need for robust digital defences, such as two-factor authentication, tTech and Symptai went further to place a big premium on human intervention and awareness.
“There is a tendency to focus on technical controls and this is only one layer of defence,” said Nooks. “In this online era, you may never know who is behind the screen. Trust but verify.”
He recommends additional layers such as administrative controls, under which companies set communication and verification workflow protocols with their teams and business partners; and training of staff to identify flaws in email communication while providing a structure for them to report suspicious communication.
Reckord adds that training should be done regularly with the entire team and include instruction in spotting phishing schemes and examining email addresses, URLs, and spellings for tell-tale signs.
“If you are suspicious, simply pick up the phone and call to verify an account-information change in person. Don’t click on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company’s phone number on your own – don’t use the one a potential scammer is providing – and call the company to ask if the request is legitimate,” Reckord advised.
Last year, under a security initiative called Operation Rewired, 281 suspects were arrested globally in September 2019, according to the Citi cybersecurity experts. They were said to be responsible for at least 250,000 stolen identities and US$100 million in fraud.
Some of the recent BEC-related arrests and disruptions included Ramon ‘Hushpuppi’ Olorunwa Abbas in July and Olalekan Jacob ‘Mr Woodbery’ Ponle in June.