Business email compromise (BEC) is a concept that first appeared around 2013 when the US Federal Government’s Internet Crime Complaints Center (IC3) started tracking it. Since then, the losses reported from BEC scams have increased steadily. And in 2023, IC3 received 21,489 BEC complaints with adjusted losses of over $2.9 billion.
Introduction
In what follows, we guide you through the steps of keeping email addresses secure, guarding your organisation against phishing scams and similar forms of fraud.
The definition of BEC
Most definitions of BEC suggest that it is a scam related to compromised business email accounts. In this scenario, a compromised account is being used to send seemingly legitimate emails to colleagues, business partners, or customers, typically with a request for a financial transaction. This might be a money transfer, payment of an invoice, purchase of gift cards or simply enticing the recipient into downloading malware to further an attack.
In such cases, because the email originates from a valid account, it is almost impossible for traditional email security to detect that it is a threat. And there is a heavy reliance on the recipient recognising that it is unusual.
How to prevent business email compromise
The best mechanism for preventing BEC scammers is to stop the original email account compromise, which is normally achieved by phishing the intended victim. Below, we describe the state of phishing today, the implications of cyber attacks, and how you can protect your organisation from them.
The state of phishing today
The Eye Security research team has noticed an increase in both the quantity and complexity of phishing attacks. One particularly insidious form of credential phishing is an Adversary in the Middle attack (AitM)—a topic we discussed in our earlier blog article “How Eye Security Can Defend You Against Evil Proxies". But it goes beyond just spoofing a Microsoft sign-in page with an amateur user interface. This technique copies and loads a version of Microsoft’s sign-in page and bypasses multi-factor authentication (MFA). This is a man-in-the-middle approach that can result in a full-blown takeover of the victim’s account by the attacker.
This is such a significant threat that we’ve decided to write this blog article and highlight 15 measures that you can take to lower the chances of your company becoming a victim of business email compromise.
1. Adopt a zero-trust model vs. a castle-and-moat model
Organisations must adopt a zero-trust model. This model works in contrast to the old castle-and-moat model.
Image 1. The difference between a zero-trust model and a castle-and-moat model
In the past, the castle-and-moat model was effective. It functioned by fortifying the external perimeters, akin to a castle surrounded by a moat. However, it fell short in terms of internal identification and defence.
Let me explain. Imagine a castle where the gatekeeper verifies your identity at the entrance. Once inside, there are no further checks, and you are free to enter various buildings. This is the essence of the castle-and-moat model.
The zero-trust model, on the other hand, significantly enhances security by perpetually verifying the user—a principle encapsulated in the phrase, “Trust, but verify”. In this model, a user approaches the gate, and the gatekeeper verifies their identity. If the information is correct, the user is allowed entry.
Once inside the secure castle, the user finds themselves facing another guard. This guard, unlike the first one, is not satisfied with just the initial identification. Instead, they demand a “code” from the user. This additional layer of verification is a crucial aspect of the zero-trust model. It aims to enhance security by assuming that no user or device can be fully trusted, even if they’ve already passed some initial checks.
This continuous verification process ensures a robust defence against internal threats. Having zero trust in the back of our mind, it can be used to set up conditional access policies, and monitor for abnormal events, but also to implement processes regarding a payment. We will discuss these in detail in the next section.
2. Provide phishing awareness
Periodic phishing awareness campaigns are vital for companies to enhance their employees' ability to identify and mitigate phishing threats. These campaigns aim to educate employees to recognise and report malicious links or suspicious emails to the security team, thereby reducing the risk of successful adversary-in-the-middle attacks.
While it is essential to acknowledge that awareness campaigns may not guarantee a 100% success rate, they still play a crucial role in strengthening a company's frontline defences. Phishing emails can closely mimic legitimate communications, making it challenging for even the most alert of employees to identify them.
However, by instilling a strong culture of cyber-attack awareness and providing comprehensive training, organisations help their employees to be proactive in detecting and responding to potential threats.
It is important to note that employees should not be punished for clicking on a phishing email. After all, their primary role is not to serve as a phishing detector. Instead, reporting should be encouraged. This is a critical aspect that is often overlooked as most clients tend to focus only on who clicked, not on who reported.
In the end, the goal is to foster an environment where employees learn to trust less and verify more, aligning with the principles of the zero-trust model. This approach not only enhances security but also promotes a culture of vigilance and responsibility.
3. Implement multi-factor authentication
Eye Security recommends enforcing the Microsoft Authenticator for multi-factor authentication (MFA) and disabling all other MFA methods so users can only log in through the Microsoft Authenticator app. It allows organisations to enforce specific policies that heighten user awareness.
Image 2. Multi-factor authentication via the Microsoft Authenticator
One such policy is number matching, which necessitates the user to cross-verify information on both their phone and computer screen. This promotes users being keener about the page they visit, reduces the likelihood of unauthorised access, and nudges the user to think carefully about their actions.
Another beneficial feature is the policy for additional context during the sign-in process. This feature highlights, on the authenticator app, the location of the device of the end user with the location from which they are attempting to sign in. This can be particularly useful in identifying and preventing potential security breaches as users can easily spot if the sign-in attempt is coming from an unfamiliar location. If they are not actually at that location, they can easily identify that the login is not them and they can refuse access.
4. Enforce a strong password policy
Enforcing a strong password policy prevents unauthorised access as it poses another barrier for password guessing and brute-forcing. A strong password typically includes at least 12 characters with a mix of upper- and lower-case letters, numbers, and special characters.
It is also important to avoid using easily guessable personal information such as birthdays or common words. Requiring a password change every 90 to 180 days is also advised. Eye Security recommends following Google’s password policy, which can be found in this Google guidebook.
5. Use a password manager
A password manager is a useful tool that can help employees in generating and storing strong passwords for all their online accounts. These tools are particularly beneficial as they make it less of a chore to change passwords every few months and eliminate the need for users to remember passwords, thereby preventing them from writing them down or creating weak ones for ease of recall.
Notably, password managers can help create awareness as they do not automatically fill in passwords on phishing sites, as a web browser might, thereby alerting the user. They can also warn users when a password is being reused, rate the strength of a password, and some even offer dark web lookups to determine whether the user’s credentials have been compromised.
Eye Security recommends using reputable third-party password managers that not only generate strong passwords but also securely store them. Unlike built-in browser password managers, third-party solutions offer additional security features and are less susceptible to extraction by password stealers.
Eye Security also discourages the use of built-in browser password managers. While convenient, they may not provide the same level of security as dedicated password management tools. Browser-based password managers could be vulnerable to attacks that extract stored passwords.
6. Implement conditional access
To prevent account takeover or phished credentials from becoming a major problem, Eye Security recommends the implementation of Conditional Access Policies. Consider the following to reduce risks:
- Only allow access to company resources with Azure AD registered devices
- Only allow sign-ins from specific IP addresses (such as the office IP address)
- Require MFA for all users
- Block legacy authentication
- Require phishing-resistant MFA for administrators
- Block service accounts from all locations except trusted IP addresses
- Block access from unused platforms, e.g. Linux
With a Microsoft Entra P2 license, it is also possible to block high-risk sign-ins. This will impose another barrier for attackers. It is highly advised to test out conditional access policies in a staging environment before moving them into production.
7. Implement cloud monitoring
Monitoring cloud logs (such as Azure and Entra ID logs) allows suspicious logins and other events to be detected and neutralised, which can be done by cybersecurity specialists. If this expertise is not present within the organisation, Eye Security recommends outsourcing this to a specialised cybersecurity provider.
8. Deploy anti-spoofing
The Eye Anti-Spoofing Tool (EAST) is a sophisticated cybersecurity measure designed to counteract the spoofing of Microsoft login pages. It functions during the sign-in phase, using a unique CSS file to modify the look of the sign-in box. As users engage with the login page, Eye Security’s servers dynamically adjust based on the HTTP Referer header, differentiating between authentic and fraudulent pages, and our system provides a visual indicator.
Image 3. Example of the EAST tool in action on the Microsoft login page
The unique CSS file loads a version of the login screen, hosted by Eye Security, that includes a warning when users try to log in to an unrecognised domain. When users visit the authentic Microsoft domain, a login page appears with a green check box and the message: “login screen verified”. This ensures users are alerted to potential phishing attempts, strengthening the security boundary. This subject has been discussed in our previous blog article “Empowering Security: The Battle against Login Spoofing.”
9. Use Microsoft custom styling
Using a custom sign-in page can help in creating awareness. Also, while this will not work for every type of adversary-in-the-middle attack, it creates another layer of awareness for end users. It is advised to use company branding for Microsoft sign-in pages. Instructions on how to configure this can be found on this Microsoft resource page.
Let’s say a user works for a company called “Insecure B.V.”. Insecure B.V. decides to implement a custom sign-in page for all its Microsoft services. This page is designed with Insecure B.V.'s branding, including its logo, colour scheme, and other identifiable elements.
When an employee navigates to this page, they immediately recognise it as Insecure B.V.’s sign-in page. This recognition creates a layer of awareness. If they are directed to a different page that doesn’t have Insecure B.V.’s branding, they will be more likely to realise something is amiss. This could potentially alert a targeted employee to an adversary-in-the-middle attack or a phishing attack.
10. Prevent external mail forwards
By blocking internal users from creating rules that forward emails to external domains, another barrier is raised to help defend against cybercriminals. However, this can also be a bottleneck for legitimate mailbox forwards. Blocking external forward rules can prevent the leakage of sensitive or confidential information. It is advised to monitor for attempts where a user forwards an email to an external mailbox. For more information about denying and monitoring external forward rules, refer to this Microsoft resource.
11. Implement DKIM, SPF, and DMARC
DMARC, DKIM, and SPF are email authentication methods. Collectively, they act as a shield against threat actors who attempt to send emails from a domain they don’t own. DKIM and SPF can be compared to a business permit or a medical degree hanging on an office wall — they serve as proof of authenticity. DMARC instructs mail servers on the course of action when DKIM or SPF checks fail, be it labelling the failed emails as spam, delivering them regardless, or discarding them completely (quarantine/reject).
Domains that haven’t properly configured SPF, DKIM, and DMARC may discover that their emails are being flagged as spam or not reaching their intended recipients. Moreover, they run the risk of spammers masquerading as them. The following guides can be used to set up: SPF, DKIM, and DMARC.
12. Prevent users from registering apps
Allowing Entra users to consent to apps accessing company data can lead to the unwanted exposure of sensitive company information. It is recommended that consent is allowed by administrators only. You can disable this setting by following this article from the Microsoft resource hub.
13. Deny the use of the Outlook web app
Disabling the web app version of Outlook poses another barrier for threat actors as they need to use the mobile app or the desktop app to access a mailbox. However, this measure can also inconvenience end users, who may be unable to check their emails if they do not have the mobile app installed. Furthermore, some organisations mandate the use of a registered device to utilise the mobile or desktop application for email access.
14. Use FIDO2 authentication
Hardware-based authentication mechanisms that use FIDO2 protocols currently present as the most effective approach for mitigating the risk of bypassing MFA in all its forms. FIDO2 authentication leverages cryptographic keys that are pre-registered with domains, enabling users to authenticate themselves securely.
Image 4. An overview of the FIDO2 authentication mechanism
The challenge posed by the service to the FIDO2 device includes specific details regarding the request's origin, such as the site's URL. As a result, any attempts to authenticate to phishing sites using this mechanism should fail. Notable examples of FIDO2 authentication include hardware tokens like YubiKeys. You can also make use of Windows Hello for Business.
15. Implement financial controls
Eye Security recommends enforcing a “four-eyes principle”, which means that two people should verify and validate if the information is correct and legitimate. It is strongly recommended to do this for high-risk transactions or operations. Requests to change a bank account number should be verified by phone and the involved parties should be promptly informed of this change.
This creates a strong barrier for attackers to impersonate users and propagate changes in sensitive information. An organisation should also consider switching from emailed invoices to a system specifically designed to authenticate payments.
Conclusion and next steps
We have provided a comprehensive set of actions to help guide you on your way to becoming more cyber-resilient. You might have already implemented many of them to prevent fraudulent activity. Or it might seem like such a daunting task that you push them aside to focus on your day-to-day activities. We hope this gives you enough information to get started. Regardless of where you are on your cyber journey, Eye Security can help remove some of the burden. To find out more, reach out to us directly to book a demo and learn about our service.
