Joint Advisory by Cyber Security Agency of Singapore (CSA) and Microsoft
There has been an increasing trend of Business Email Compromise (BEC) attacks reported to SingCERT. Some of these reports relate to Microsoft 365, as Microsoft’s platforms are often targeted by criminals in such BEC attacks given that it is commonly used by businesses. Enterprises need to protect themselves from such attacks by raising cybersecurity awareness and promoting the adoption of good cyber hygiene practices among their employees.
What is BEC? A BEC is an email-based fraud technique that is designed to gain access to critical business information or extract money through fraudulent requests for payment or wire transfer. The most common method used by BEC attackers is the impersonation of a company's CEO, business partner or a known contact of the victim, using a spoofed email account to send the request. There have also been instances of BEC that utilised compromised employees’ enterprise email accounts. Email accounts can be compromised through a variety of ways including phishing attacks, the utilisation of data from past data breaches and credential dumps to perform credential stuffing attacks, as well as the harvesting of possible account information of victims from social media platforms.
As more businesses go online, cybercriminals have more opportunities to launch BEC attacks and other cybercrimes. Cybercriminals are also adept at changing their social engineering schemes to reflect current events. As enterprises are the primary targets for such scams, they need to be vigilant and take precautionary measures to guard against BEC attacks.
How do you protect your enterprise against BEC? Protection against BEC requires a multi-tier approach to be effective. Enterprises can consider adopting the following recommendations to protect themselves from a BEC attack:
For Enterprise Owners
As BEC attacks rely heavily on social engineering tactics, enterprise owners are advised to do the following:
Promote a Culture of (Cyber) Vigilance Among Employees
- Regularly share cyber hygiene tips and news on current scam/phishing cases
- Conduct regular phishing drills and remind employees to verify the authenticity of emails, especially those that are suspicious or unsolicited
Implement Additional Verification Process for Finance-related Requests
Implement a secondary confirmation* process to verify the authenticity of finance-related requests, including funds transfer, change of supplier or vendor bank account, and invoice payment
*This secondary confirmation should be via a different medium (i.e. phone call or text message) to prevent direct communications with the criminal, in the event the email account has been compromised.
For Enterprise IT Teams
Enterprises can strengthen their IT infrastructure posture to prevent spoofed emails from reaching their employees by implementing the following:
Block Malicious or Spoofed Emails
- If your enterprise is not using Microsoft 365,
Implement filters at the email gateway to filter out emails with known malware spamming indicators and block suspicious IP addresses at the firewall.
Use free email authentication tools such as Domain-based Message Authentication, Reporting and Conformance (DMARC) which can help detect spoofed emails.
Implement Strong Password Policies
- Enforce regular password changes, and require the use of strong passwords
Enable multi-factor authentication (MFA) where possible for enhanced security, especially for employees with the authority to authorise payment – For users of Microsoft 365, visit this link for information on how to enable the MFA.
Maintain System Hygiene
- Ensure that automatic updates are enabled for the antivirus software, and perform a full scan of the machine(s) in your network regularly
- Conduct regular audits on user passwords against common password lists by using available resources and tools online
- Verify and remove any unauthorised/suspicious/dormant user accounts in the system as these could be leveraged to gain access into the system
- Check for and remove any suspicious email forwarding rules
- Monitor the authentication logs and investigate multiple unsuccessful login attempts
Employees have a key role to play in thwarting BEC attempts.
Inspect suspicious / urgent emails closely
Typically, phishing campaigns’ emails will sound urgent and list dire consequences if the recipient does not act promptly. BEC-type emails may also ask the recipient to change the designated account for receiving wire payments.
Seek confirmation using a different medium (i.e. phone call or text message) before proceeding with an important instruction that was sent via the email. Report any suspicious phishing email to your administrator and do not click on any links or open any attachments from the email.
Enterprises using services from Microsoft 365 are encouraged to refer to the additional weblinks and online product documentation for information on implementing measures to allow employees to report junk and phishing email in Outlook, and to enable MFA for an additional layer of security for sign-ins.
More information is available at: