Business Email Compromise through Exploitation of Cloud-Based Email Services

21-RISK-01 / October 2021
Business Email Compromise through Exploitation of Cloud-Based Email Services
Subject
Cybersecurity
To
Federally Insured Credit Unions
Status
Active
To
Federally Insured Credit Unions
Subj
Business Email Compromise through Exploitation of Cloud-Based Email Services

Dear Boards of Directors and Chief Executive Officers:

According to the FBI’s Internet Crime Complaint Center, cybercriminals are targeting organizations that use popular cloud-based email services to conduct Business Email Compromise (BEC) scams. Credit unions can take steps to prevent this type of fraud and should report any incidents of fraud immediately to the FBI’s Internet Crime Complaint Center and local FBI field office. Reporting incidents to the Internet Crime Complaint Center within 24 hours increases the chances of recovery for funds wired under fraudulent pretenses.

Business Email Compromise

While several BEC scam variants exist, one of the most effective types is initiated through phishing emails designed to steal email account credentials. Cybercriminals use phishing kits that impersonate popular cloud-based email services. Many phishing kits identify the email service associated with each set of compromised credentials, allowing the cybercriminal to target victims using cloud-based services. Upon compromising victim email accounts, cybercriminals analyze the content of compromised email accounts for evidence of financial transactions. Often, the actors configure mailbox rules of a compromised account to delete key messages. They may also enable automatic forwarding to an outside email account.

Using the information gathered from compromised accounts, cybercriminals impersonate email communications between compromised businesses and third parties, such as vendors or customers, to request pending or future payments be redirected to fraudulent bank accounts. Cybercriminals frequently access the address books of compromised accounts to identify new targets to send phishing emails. As a result, a successful email account compromise at one business can affect multiple victims associated with the account.

Depending upon the provider, cloud-based email services may provide security features, such as advanced phishing protection and multi-factor authentication that are either not enabled by default or are only available at additional cost.

Prevent Business Email Compromise Fraud

Credit unions can take the following steps to help prevent BEC fraud:

  • Enable multi-factor authentication for all email accounts.
  • Disable basic or legacy account authentication that does not support multi-factor authentication.
  • Use caution when posting information on social media and company websites, especially job duties and descriptions, hierarchal information, and out-of-office details.
  • Verify all payment changes and transactions in person or via a known telephone number.
  • Educate employees about BEC scams, including preventative strategies such as how to identify phishing emails and how to respond to suspected compromises.
  • Prohibit automatic forwarding of business email to external addresses.
  • Add an email banner to messages coming from outside your organization.
  • Prohibit legacy or unsupported email protocols, such as POP, IMAP, and SMTP1, that can be used to circumvent multi-factor authentication.
  • Ensure changes to mailbox login and settings are logged and retained for at least 90 days.
  • Enable alerts for suspicious activity, such as foreign logins.
  • Enable security features that block malicious email, such as anti-phishing and anti-spoofing policies.
  • Implement email authentication technologies such as Domain-based Message Authentication Reporting and Conformance (DMARC) policies to prevent spoofing and validate incoming email.1

Prevent Wire Transfer Fraud

Cybersecurity threats resulting in wire transfer fraud are increasing as the financial industry relies on virtual environments to complete critical functions. It is essential to ensure that proper wire controls are in place.

Operational controls include, but are not limited to, the following:

  • Dual controls and separation of duties
  • Documented and board-approved policies and procedures
  • Timely balancing and reconciliation of related accounts
  • Incident response and business continuity planning and testing

Transactional controls include, but are not limited to, the following:

  • Call-back parameters
  • System enforced monetary thresholds
  • System enforced end user monetary limits
  • System enforced time-of-day restrictions
  • Automated velocity monitoring
  • Exception handling procedures
  • Enhanced due diligence and monitoring of high-risk members and activity

Physical and logical controls include, but are not limited to the following:

  • Multi-factor authentication
  • Patch management, virus protection, and firewall protection
  • System access controls
  • Network security policies
  • Member and staff information security training

For additional information on authentication, please review the Federal Financial Institutions Examination Council’s guidance on Authentication and Access to Financial Institution Services and Systems.

Report and Recover Funds from Business Email Compromise Fraud

In addition to filing a complaint with the FBI, credit unions that identify BEC or a similar wire-transfer fraud scheme should also contact their wiring originating financial institution as soon as possible to request a recall or reversal and initiate a Hold Harmless Letter or Letter of Indemnity with the receiving financial institution. Credit unions should also follow FinCEN guidance for filing Suspicious Activity Reports on BEC incidents.

Additional information on BEC is available at the FBI’s Internet Crime Complaint Center Business Email Compromise webpage.

Sincerely,

/s/

Todd M. Harper
Chairman

1 DMARC reduces exposure to potentially fraudulent and harmful messages. A DMARC policy allows senders to indicate that their emails are protected by Sender Policy Framework (SPF) and/or Domain Keys Identified Message (DKIM), both of which are industry-recognized email authentication techniques. DMARC also provides instructions on how the receiver should handle emails that fail to pass SPF or DKIM authentication.

Last modified on
10/19/21