Almost caught out!

Jack Smallpage, Information Security Officer at Chess, tells the story of a recent Business Email Compromise (BEC) incident which almost cost us €60k. Follow the story:

• Jump to What is a Business Email Compromise (BEC)? >
• Jump to The Phish Attack >
• Jump to How can you protect your business? >

Business Email Compromise

Email is one of the primary ways we communicate. We use it every day for work and to stay in touch with our friends and family. In addition, email is now how most companies provide online services such as confirmation of your account, online purchases, or availability of your statements.

Unfortunately, since so many people worldwide depend on email, it has become one of the primary attack methods used by cybercriminals. As our defences and awareness have evolved, so too have the tactics and methods employed by attackers. Standard indiscriminate phishing techniques are increasingly caught through technology and security awareness, so attackers create additional strategies to catch us off-guard. One such method used is known as Business Email Compromise (BEC).

What is a Business Email Compromise (BEC)?

Business Email Compromise (BEC) is a type of phishing attack where the attacker attempts to trick a senior executive or budget holder into transferring funds, opening a malicious link/attachment or revealing sensitive information. It is usually done through the impersonation or compromise of an executive's account to manipulate the target with false authenticity and authority. In the security industry this type of targeted attack is also known as CEO Fraud. 

We experienced a recent Business Email Compromise (BEC) incident where a fake supplier created an 'outstanding remittance' phish followed by an impersonated email from our CFO, Mark Lightfoot, to add urgency and authority to the attack. Follow the steps and details of this attack below.

Threats, Tools for Protection, and The Ever-Changing Landscape

On Demand Video Series

Johan Dreyer, EMEA Field CTO at Mimecast, and Gavin Wood, CTO at Chess, discuss the biggest Cybersecurity threats right now, the critical set of tools required for protection, and how to keep ahead of ever-changing cyber threats.

Watch Now

The Phish Attack

Initial Contact

Masquerading as a disgruntled corporate supplier, the attacker enquires after an outstanding payment that had not been received. This initial email aims to sound like a real supplier opening up lines of communication to get a response.

From: *Fake Supplier* <john.doe@fakecompany.us> 

Sent: 19 October 2021 08:23

To: Chess Employee <*ChessEmployee*@ChessICT.co.uk>

Subject: Re: Outstanding Remittance

Hi *Chess Employee*,

 I was told to contact you today on behalf of *fake company* over an outstanding payment we have not received.

The invoice was issued a few weeks ago, and up till now, we have still not been reimbursed.

Could you kindly check your records and advise accordingly?

Best Regards

*Fake Supplier*

Communication

The employee in question now replies to the email requesting a copy of the invoice with a fake copy being subsequently sent.

Impersonation

To apply pressure, the attacker now impersonates Mark Lightfoot, Chess' CFO, to push the Chess employee for same-day payment and stresses the urgency while simultaneously making the invoice request sound legitimate. The attacker is able to do this by making a subtle change to the Chess email format:

REAL: @ChessICT.co.uk.

FAKE: @Chesslct.co.uk (Uses a lower case 'L' to imitate the 'I' in ICT).

From: Mark Lightfoot <marklightfoot@chesslct.co.uk> 

Sent: 19 October 2021 11:25

To: john.doe@fakecompany.us

Cc: *ChessEmployee* <*ChessEmployee*@ChessICT.co.uk>; *HeadofLegal*@chesslct.co.uk

Subject: Re: Outstanding Remittance

*ChessEmployee*,

Can we make payment to *fakecompany* for this due invoice today? We are already behind schedule hence treat this with utmost urgency.

 I will await your feedback on this ASAP.

Thank you!

Mark Lightfoot

Chief Financial Officer

Chess

 www.chessICT.co.uk

In this redacted copy of the email, the attacker has impersonated Chess' CFO, CC'ing the Chess employee target "ChessEmployee" whilst also CC'ing in the Chess Head of Legal using the correct name but similar false email to gain more traction and authority.  

With this email now accepted by the Chess Employee, the attacker sent one final follow up email to try and 'seal the deal' with the following fake approval:

From: Mark Lightfoot <marklightfoot@chesslct.co.uk> 

Sent: 19 October 2021 11:42

To: *ChessEmployee* <*ChessEmployee*@ChessICT.co.uk>

Cc: *HeadofLegal*@chesslct.co.uk

Subject: Re: Outstanding Remittance

*ChessEmployee*,

I approved this invoice for payment.

Please liaise with *fake company name* when the invoice has been paid for reference.

I will follow up on this later

Thank you

Mark Lightfoot

Chief Financial Officer

Chess

www.chessICT.co.uk

Protection Through Policy

Until this point in the incident, the attacker had gone undetected and was potentially on their way to receiving their "invoice" of €60,000. Thankfully, we have robust financial processes in place to protect against this type of threat and the REAL CFO (Mark) and Senior Finance Manager were contacted directly to check validity of the payment and the attack chain broken.

Once queried by our CFO, the attack was promptly reported through our standard incident management processes before any damage was done.

So how can you stay protected if you find yourself in a similar situation?

Make yourself a harder target

The more convincing a Business Email Compromise is, the more likely the attacker will succeed. To create this authenticity, attackers can use social media and internet sources to impersonate their victim better. Review your privacy settings across your accounts and think about what you post on these social and professional spaces. It's also important to know what your friends, family and colleagues tag you in or say about you online. Attackers are clever, and they will often use these avenues to find out information.

Update your processes

Processes and policies are often overlooked, but they can help protect your business when all other measures have failed. Looking at this scenario, for example, have you reviewed your financial process? Do you ensure a final review is carried out with any protective steps? Do your people know who to go to (and how) if they are unsure or have other security queries?

Technical Measures

While not infallible, there are additional technical measures you can implement to help your people:
External Email Warning: Having a warning banner on all external emails helps inform users of the risks involved and increases vigilance. Banners such as this can also help identify some impersonation attempts by revealing their external nature, despite what the name on the email may say!

Enable Security Features: Products such as Microsoft 365 have various features that you can enable to protect against phishing attacks, including impersonation. As with all products, these features are frequently updated with newer technologies. Review your product and ensure the relevant features are enabled and configured – some can help your users with detection, whilst others can prevent it from arriving in their mailbox altogether.

Phishing Training

The most apparent protection method in this scenario is the training and security culture of your people. All the processes and measures in the world can be useless if the user doesn't know how to use them properly. Review your phishing training and make sure it includes a variety of attacks and the standard identifiers. Ensure they know how to report any suspected attack and create a blameless culture that encourages people to come forward if they've fallen victim.

To learn more about how you can protect your organisation, book your free 30-minute security assessment with one of our penetration testers. Get agnostic advice from industry experts on how secure your business. Request here >