Incident Response Playbook: Business Email Compromise (BEC)

Flying under the radar for years, BEC attacks have been slowly climbing the ranks as one of the most popular tactics amongst cybercriminals to exploit vulnerabilities and orchestrate scams.

In a recent report by the Federal Bureau of Investigation revealed staggering statistics: "In 2023, the IC3 received 21,489 BEC complaints with adjusted losses exceeding 2.9 billion dollars" - IC3

As BEC incidents continue to surge, the importance of a well-crafted and thoroughly rehearsed BEC incident response playbook cannot be overstated.

So…What exactly is Business Email Compromise (BEC)?

A Business Email Compromise (BEC) is a type of cyberattack where attackers use social engineering and email spoofing techniques to deceive individuals within a company, typically targeting employees who have access to finances or sensitive information.

"According to the IBM Cost of a Data Breach 2023 report, business email compromise and phishing attacks were among the costliest breaches, averaging around $4.7 million dollars per incident." - IBM

In a BEC attack, the goal is to fool employees into sending money or sensitive info to the attacker by pretending to be someone they trust at work. These attacks come in all shapes and sizes, from stealing data to faking invoices, impersonating CEOs, posing as lawyers, hacking accounts, and more.

How To Spot BEC Attacks:

When it comes to spotting these sneaky attacks, keep an eye out for a couple of things. Firstly, double-check the sender's email address for any typos or weird characters. And remember, never click on suspicious links or attachments, even if the emails look like they're from legit vendors or higher-ups – better safe than sorry.

Sometimes, hackers hijack the accounts of people you trust, so always double-check any unexpected messages or requests to make sure they're legitimate. Also, be wary of urgent requests or strange payment inquiries – if anything seems fishy, we suggest contacting the individual using an alternative trusted channel, such as a phone call, message, or the best option, face-to-face.

Real-world examples of BEC Attacks:

BEC attack on 1st Advantage Fed. Credit Union

A recent court decision in Virginia may have provided a roadmap for some BEC victims to seek compensation from the financial institutions that facilitate the fraudulent transfers of money - Discerning Data

A United States District Court Judge found that 1st Advantage, involved in processing a BEC payment, didn't handle things responsibly. Because of their slip-up, the victim of the BEC scam was awarded $558,868.71 in damages

Facebook and Google's $121m BEC Scam

Known for being one of the biggest and well know BEC scams of all time, the incident resulted in around $121 million in collective losses- NS Business

Rimasauskas, the con man, established a fake company, Quanta Computer, resembling a legitimate vendor used by Google and Facebook. He then presented convincing invoices to both companies, which they promptly paid out.

Facebook and Google's $121m BEC Scam

The hacker gang TA4903, known for BEC attacks, is impersonating U.S. government agencies to trick targets into opening malicious files with fake bidding links - bleepingcomputer

When recipients scan the QR codes, they are directed to phishing sites that are made to appear like the official portals of the impersonated U.S. government agencies. Proofpoint states that TA4903 frequently registers domain names resembling those of government entities and private organizations across different sectors.

BEC Incident Response Steps

In line with NIST's structured incident response approach as detailed in Special Publication 800-61, here are some general guidelines and steps we suggest integrating into your incident response plan to prepare for a potential BEC attack

1. Detect
   • Monitor email traffic for anomalies
   • Monitor user reports for suspicious emails
   • Utilize email security solutions like spam filters and DMARC
2. Analyze
   • Review email logs for anomalies
   • Collect email headers, sender info, and attachments
   • Assess compromised accounts and conduct root cause analysis
3. Contain
   • Isolate compromised accounts
   • Implement filters to block malicious senders
   • Reset passwords and revoke authentication tokens
   • Preserve and analyze malware samples if found
   • Send alerts to all internal staff about the email
4. Eradicate
   • Patch vulnerabilities and remove unauthorized rules
   • Ensure all systems are updated
   • Check for similar rules in other email accounts and remove them
5. Recover
   • Restore systems from backups
   • Replace or rebuild systems as needed
   • Reinforce security measures and provide training
   • Reset passwords and consult cybersecurity insurance if financial loss occurred
6. Post-Incident
   • Conduct a post-incident review
   • Update security policies and procedures
   • Publish appropriate communications internally and externally
     
     

At the end of the day, the best way to stop BEC attacks is through thorough training. By teaching employees about common BEC tactics like phishing and social engineering, they can spot and report suspicious emails faster. This builds a culture of awareness that helps organizations avoid falling victim to BEC scams.

Simplifying Incident Response with Rivial

Rivial allows you to easily build, view, store, and maintain scenario-specific playbooks when general incident response procedures fall short.

Our incident response module consists of four sections, including a module dashboard where you can find a concise overview of relevant incident response systems, prioritized response action items, exercises, teams, incidents, and detections to ensure your organization is always prepared and every stakeholder knows their role with accessible, tested, and ready-to-go procedures and playbooks. Schedule a time to learn more about our platform today!