Iron Bastion: Preventing business email compromise fraud at your firm

A practical guide for minimising cyber threats
ISACA
24 October 2018

Nicholas Kavadias @nkav
•Information Security Expert at Iron Bastion
•15+ years of experience in IT
•Practising solicitor (Disclaimer: this presentation does not constitute legal
advice!)
Who am I?

1. What is BEC fraud?
2. How does it affect my business?
3. How do I know if I am a victim of BEC fraud?
4. How can I protect my organisation from BEC
fraud?
5. Where to go next?
What we are covering today …

What is BEC fraud?
Social Engineering / Spear Phishing:
“I am the CFO, pay this invoice urgently”
• Display name spoofing – real name, but not email
• Email address spoofing – real name, email. Different Reply-To address
• Email account compromise – real email account is broken into (data breach
credentials or spear phishing)
Impersonation:
“Our payment details have changed, use this bank account instead”
• One of your staff’s mailbox is compromised
• One of your vendor’s mailbox is compromised
Display name
Email address

Example 1
• Authority
• Sense of urgency
• Personal greeting
• Sent from a phone to
excuse lack of email
signature
Andy Penn <apen555@gmail.com>
Real name gleaned from public source

Example 2
• Pixel perfect copy, cloned from a
legitimate email
• Urgency: Due today!
• All the links go to actual AGL site
except the “Download bill” and
“Make a payment”

•Global Problem
•At risk industries
•Not “kids in basements”
•A criminal’s cost-benefit
analysis
What is BEC fraud (cont’d)

BEC Fraud is a Global Problem
https://www.fbi.gov/news/stories/2017-internet-crime-report-released-050718

How BEC affects Australia?
* https://exchange.telstra.com.au/business-email-compromise-scams/
** https://www.mailguard.com.au/blog/ceo-fraud-up-2370pc
•The Australian Federal Government says
businesses here have lost more than $20
million in 2017*
•Damages are often more than $100,000 per
incident
•Increase of 2,370% since 2015**

At risk industries
According to OAIC Report Apr-Jun 2018:
1.Health Service Providers
2.Finance
3.Legal, Accounting & Management services
4.Education
5.Business and Professional Associations
* https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme/quarterly-statistics-reports/notifiable-data-breaches-quarterly-
statistics-report-1-april-30-june-2018

Preconceptions about BEC Fraud
and cybercrime…

Cost-Benefit Analysis: Classic Crime v Cyber Crime
Armed Robbery
• Aggravating circumstances i.e. weapon,
assault means gaol++
• Profit: $10,000-$50,000?
• Max 20 years in prison– s95 Crimes Act
1900 (NSW)
• Security cameras everywhere, and
everyone has a camera phone
• Hard to make a fast getaway in Sydney
traffic!
Cyber Crime
• Fraud – White collar crime
• Profit: $100,000+
• Max 10 years in prison – s192E Crimes
Act 1900 (NSW)
• Minimum security prison?
• Cross-jurisdictional law enforcement
issue
• Small fraud ($1-10k) so common, not
investigated!

Global Cybercrime:
•$1.5 trillion in 2017
•Annual GDP equivalent
to Russia
https://www.information-age.com/global-cybercrime-economy-
generates-over-1-5tn-according-to-new-study-123471631
This is a serious business…

* 100,000 euro hackers: https://www.youtube.com/watch?v=4JqfChAKSfE
…and the sad reality is: organised crime

•Large financial motivation
•Play the long game
•Multi-actors with specialised
skills
…and the sad reality is: organised crime

How are email accounts compromised?
•Lousy passwords
(Letmein1)
•Stolen passwords
(phishing)
•Leaked passwords &
password reuse)

Password Leaks Everywhere!
• Websites get hacked
• People reuse the
same email and
password across
multiple online
accounts. D’oh!

Secret: “hackers” log into your webmail

How does it
affect my
business?

How does BEC affect my business?
•Financial loss – direct & indirect loss. Could be
enough to put you out of business? Litigation,
insurance premiums, system remediation,
investigation
•Notifiable Data Breach – if email account
compromise - incident reportable to OAIC, fines?
•Reputational damage – Negative media
coverage & Twitter rage

• You won’t know until its too late:
supplier: “Why you haven’t you paid my bill?”
you:“But I have paid it, haven’t I?...
• Email forwarding rules you have never set:O365 has 5
different locations to set rules
• Colleagues receive emails/documents you never sent
• Your talk to your customer/supplier and you have no idea
what he/she is talking about
How do I know if I am a victim of BEC fraud?

Hacked email account signs:
• Password reset emails for accounts you have not requested a
reset
• 2FA SMS codes when you have not tried to log in
• A password you use no longer works, and you know you
didn’t change it
• Strange emails/phone calls from clients asking you about a
request you never made
• Unknown logged-in devices
How do I know if I am a victim of BEC Fraud?

How can I protect my
organisation from BEC
fraud?

“You don't have to run faster than the bear to
get away. You just have to run faster than the guy
next to you.”

How can I protect my organisation from
BEC fraud? –> Quick win –> 2FA
If you only do one thing to improve your
cybersecurity posture, it should be to turn
on 2FA for your email
Advice evolves with threats & as criminals
become more sophisticated.
e.g. 2FA via SMS can be attacked with SIM
swapping

Why we have just a few passwords?
Problems:
• Too many passwords to remember
• Has my password leaked in a data
breach?
Password managers solve both

Password Wallets
Remember a single password only:
o LastPass
o 1Password
o Dashlane
o RoboForm

Stop using email
•Email: the default ad-hoc workflow!
•Formalise business processes
•Move collaboration to:
•Secure business platforms (e.g. web portals)
•Third-party platforms: Slack, Microsoft Teams,
Skype, WhatsApp (Brazil), WeChat (China)
How can I protect my organisation from BEC
fraud? (cont’d)

BEC Fraud is a people,
process, and
technology problem

BEC Fraud – People
Phishing simulation:
• Phishing is a precursor of BEC fraud
• Identify vulnerable segments of your staff by phishing them
• Target the vulnerable people with training
• Train and test your employees to follow payment
procedures

Business:
• Change your contracts
• Set up processes for payments and payment detail
changes/verification
• Minimise use of email for payments/invoices
Security:
• Cyber Security team to scan for indicators of BEC fraud (e.g.
suspicious email redirection rules)
BEC Fraud – Process

BEC Fraud – Low tech/no tech
solutions
• Put payment instructions in your
supplier/customer agreements
• Specify payment instructions will
never change by email
• Phone it in payment confirmations
disclaimer on all your emails?

• Advanced Email Security ( AKA: ATP, anti-phishing)
• Two-factor authentication (2FA)
• Password Wallets
• DNS firewalls
• Endpoint security (phishing protection)
• Web proxies, Brower Extensions protect from phishing, fake
login pages
• General Advice: ASD Essential 8
BEC Fraud – Technology

Summary
BEC is a lucrative business:
•Organised crime
•Relies on social engineering
and phishing
•Technology and human
problem
Defence:
•Formalise business
processes
•Change people, process
and technology
•2FA (i.e. out run others!)

Where to go next?
If you are hit by BEC fraud:
•Activate your incident response plan
•Assemble a breach response working group to
coordinate response
•Report incident to ACORN, IDCARE and OAIC as
required
•Get professional help if needed

Questions?
Nicholas Kavadias @nkav
nick@ironbastion.com.au
1300 883 420
Slides:
https://ironbastion.com.au/ISACA

Iron Bastion: Preventing business email compromise fraud at your firm

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Iron Bastion: Preventing business email compromise fraud at your firm

Similar a Iron Bastion: Preventing business email compromise fraud at your firm (20)

Más de Gabor Szathmari

Más de Gabor Szathmari (12)

Último

Último (20)

Iron Bastion: Preventing business email compromise fraud at your firm