Business Email Compromise is an interesting waiting game. At first, it might involve a high degree of patience on the part of the cyber attacker, but then, an incredible amount of urgency. That pattern is central to some of the most effective Business Email Compromise attacks we've seen. We'll explain.
When a cyber criminal gains access to your email -- especially the ability to both read and send your email -- sometimes they play the "long game" in a way that you might not expect. The most sophisticated cyber criminals targetting the most sophisticated businesspeople, sometimes use the strategy of using a long time period of context-gathering to seize on precisely the right moment for their attack. For example, a hacker that succeeds at gaining access to your email in January, might watch for months and months, before concluding that your July switchover from a former IT provider to a new IT provider is the perfect time to strike. The context-gathering period can be days, weeks, or even months, and is a way that hackers gather crucial context that either increases the probability of doing additional damage (and most likely, profiting).
Some of the most devastating Business Email Compromise attacks involve an email sent from the email account of an executive, to a specifically targetted employee. For example, the person responsible for maintaining servers. Or, the person responsible for handling outbound wire transfers to vendors. Or, the person responsible for purchasing new equipment. Whatever the case, the prototypical attack involves an email (fraudulent, of course) being sent from the email account of the executive. The most savvy attackers send the email at a plausible time-of-day, using phrases and tone that match what the executive might normally use in routine email within the company. Lastly, and this is vital, a very large portion of these attacks use urgency to induce some particular action by the recipient.
Paired with the request for some particular action to be taken urgently, is usually some caveat indicating that the executive is unable to be available to further discuss the matter. Likely explanations in this type of email include things like a claim that the executive is about to walk into a meeting and needs the task done before she/he finishes the meeting. Or a claim that the executive is going to be offline for awhile but needs the task completely handled before returning. Or a claim that the executive is about to step onto a flight that does not have internet connectivity.
Whatever the case, this use of urgency paired with a claim of being unavailable for further discussion, is the technique that hackers most love to use on unsuspecting victims of this type of fraudulent email.
One of the absolute best things that an organization can do to set the stage for employees to recognize and avoid falling for these types of fraudulent requests, is to train them on the existence of the "Urgency + Unavailability" combination, so that they know to recognize it and be suspicious of it. The second thing that helps, is to set expectations that any such request requires in-person or telephone-based verification, before an employee takes any action. This combination of suspicion and verification, should lead most employees to avoid falling victim to these types of fraud attempts.
Want a quick and easy way to train your organization on how to recognize this type of cyber crime? At Havoc Shield, we have a broad catalog of online, on-demand training sessions -- most of which take less than 30 minutes to complete. We have an excellent one on Business Email Compromise that is the perfect introduction for a companywide security awareness training initiative. Let us know if we can be of help?