We had a client a couple of years ago who experienced a Business Email Compromise. One of their Accounting AR Clerks had their credentials stolen, most likely from a website that had been hacked, and their credentials had been published and sold on the Dark Web. A cybercriminal used those credentials to access their Microsoft 365 account by simply going to https://portal.office.com and entering the credentials they had purchased from the Dark Web. Since this client had refused (over and over again) to implement Multi-Factor Authentication or even Conditional Access, the cybercriminal was able to gain full access to their email account.
Once the cybercriminal had gained access to their email, they setup a forwarding rule so that all incoming and outgoing email was sent to an external Gmail account that the cybercriminal controlled. They were then able to leisurely review all of the AR Clerk’s email correspondence, looking for opportunities to trick customers of our client into sending payments to a bank account controlled by the cybercriminal.
The cybercriminal found that the AR Clerk was responsible for sending out invoices and making collections attempts on past due invoices. The cybercriminal began following up with an additional email sent from the AR Clerks account stating that the bank account for payments to be sent to had been changed, and included the bank account details for an account controlled by the cybercriminal. Fortunately, the client’s customers had good processes in place, and they contacted our client to confirm the change in bank account details, who confirmed that this was NOT accurate. Fortunately, no money was sent to the cybercriminals.
The client then contacted us, and we implemented our Incident Response Plan for Business Email Compromise incidents. After resolving the issue for the client and providing an Incident Response Report that explained what happened and what can be done to prevent a similar incident from happening in the future, the client finally agreed to implement Multi-Factor Authentication.
The bottom line is that any business or organization can be a Business Email Compromise target.
Here are the Top 6 things you can do to reduce the likelihood of a Business Email Compromise (or just about any type of email phishing attack).
- Implement End User Security Awareness Training & Phishing Simulations. Your employees continue to be the biggest cybersecurity risk to your organization. The best firewalls in the world can’t stop a user from clicking on a Phishing Email or falling for a social engineering scam. Getting them regular cybersecurity training, sending simulated phishing emails, and monitoring the Dark Web for credential compromise can help you proactively protect your users (and your organization).
- Implement Multi-Factor Authentication. The bottom line is that users are going to continue using the same passwords (or variations of) across all of the websites and systems they access, both personal and professional. When those credentials are stolen and published into the Dark Web, it is likely that cybercriminals will attempt to compromise your Microsoft 365 environment using those credentials. Having MFA will block those attempts, even if the cybercriminal has the correct credentials.
- Implement Conditional Access. Using Conditional Access with your MFA and Microsoft 365 environment can reduce the number of times a user has to confirm a login using MFA. This decreases MFA fatigue and makes users’ day-to-day lives better.
- Implement a Business Password Manager. Give your users a Password Manager to not only ensure they use unique, random passwords on every website they access, but also save them 10-15 min every day by automatically entering their credentials into websites and facilitating the changing of passwords.
- Setup Financial Transaction Verification Procedures. Before transferring funds or sensitive information, establish a verification process that confirms the authenticity of the request. This could include a phone call, video conference, or face-to-face meeting. Don’t rely on email alone to confirm these types of requests.
- Implement Microsoft 365 Cybersecurity Monitoring. If the client mentioned above had Microsoft 365 Cybersecurity Monitoring in place, they would have received an alert that an external forwarding rule had been created for one of their users. This would have allowed an IT administrator the opportunity to stop the threat in its tracks.
If you’d like to receive a FREE Microsoft 365 Cybersecurity Assessment, schedule a complimentary meeting to discuss your Microsoft 365 needs.