4 min read

Incident Response: How to Respond to an Email Breach

Incident Response: How to Respond to an Email Breach
Incident Response: How to Respond to an Email Breach
7:48

Business Email Compromise earned hackers $1.3 billion in a year. (Source: Internet Crime Complaint Center)

 

The most profitable cybercrime out there is called business email compromise (BEC). This is when hackers take over a corporate email account and use it to try and divert funds into an account they control or take your data. Corporate data can be worth a lot of money. Once they steal it, hackers may choose to sell it on the dark web

 

This type of scam accumulates earnings of $1.3 billion a year. This is probably just a tiny fraction of the actual losses though.

 

Business email compromise is very easy to execute. All a hacker needs to do is break into a corporate email account (or spoof one). Child’s play.

 

 

Should a CEO fraud or Business Email Compromise (BEC) incident take place, there are immediate steps to take.

 

     1. Contact your financial institution immediately.

Immediately contact your bank or financial institution and inform them of the fraudulent wire transfer. Provide details such as the amount, the account destination, and any other relevant information. Request to have the transfer canceled.

 

Get in touch with the cybersecurity department of the bank, brief them on the incident, and request their intervention. They can contact their counterparts in the foreign bank to have them prevent the funds from being withdrawn or transferred elsewhere.

 

 

     2. Notify your attorneys.

Inform them of the facts. In some cases, especially in the event of a significant loss, communications may have to be made to shareholders and stakeholders, and regulations may require reporting of the incident within a certain timeframe.

 

Your attorneys can provide guidance on the next steps, help prepare a notification statement if needed, and assist in navigating regulatory and insurance processes.

 

 

     3. Contact law enforcement.

Start with your local FBI office. The FBI, working with the U.S. Department of Treasury Financial Crimes Enforcement Network, may be able to return or freeze the funds.

 

When contacting law enforcement, identify your incident as Business Email Compromise and provide a brief description of the incident. Be prepared to provide complete financial information as well.

 

 

     4. File a complaint with the FBI’s Internet Crime Complaint Center             (IC3).

Visit the FBI’s Internet Crime Complaint Center (IC3) at https://www.ic3.gov/to file your complaint. In addition to the financial information and the bullet points in the previous section, victims should also provide the following information:

 

  • Victim's name, address, telephone, and email.

    • This will be your information if you are the victim, or another person if you are filing on behalf of a third party.

  • Date and time of the incident(s).

  • Financial transaction information (account information, transaction date and amount, who received the money).

  • Subject's name, address, telephone, email, website, and IP address.

    • The subject is the person/entity allegedly committing the Internet crime.

  • Specific details on how you were victimized.

  • Email header(s).

  • Any other relevant information you believe is necessary to support your complaint.

     

5. Brief senior management.

Call an emergency meeting to brief senior management of the incident, steps taken thus far, and further actions to be taken.

 

 

     6. Conduct IT forensics for a full investigation of the attack.

Have IT investigate the breach to find the attack vector, recover control of hacked email accounts, and find any malware remaining anywhere within the network.

 

Take immediate action to recover control of any compromised accounts, such as changing the password and checking any account recovery email addresses for changes made by the attackers.

 

 

     7. Contact your insurance company.

Unfortunately, in most cases, funds cannot be recovered. This is especially true if the victim does not move quickly.

 

Contact your insurance company and find out if your cyber insurance policy will provide coverage for the attack and if they have the resources to help resolve it.

 

 

     8. Consult with outside security specialists.

Bring in outside help to detect any area of intrusion that IT may have missed. The bad guys are inside. The organization isn’t safe until the attack vector is isolated and all traces of the attack have been eradicated. You must eliminate any and all malware that may be buried in existing systems.

 

 

     9. Isolate security policy violations.

Investigate policy violations as well as the possibility of collusion with criminals. For such an incident to happen, there is likely to be evidence of violations of existing policy. If necessary, take the appropriate disciplinary action.

 

 

     10. Draw up a plan to alleviate security weaknesses.

Once the immediate consequences of the attack have been addressed and full data has been gathered about the attack, draw up a plan that encompasses adding technology and staff training to prevent the same kind of incident from repeating.

 

Employee security awareness training is a must!

 

 Click here to download the full 10-step CEO Fraud Response Checklist!

 

Incident Response Checklist

 

 

What is Business Email Compromise (BEC)

 

The FBI defines Business Email Compromise as a sophisticated scam targeting both businesses and individuals performing wire transfer payments. The scam is frequently carried out when a subject compromises legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.

 

The scam may not always be associated with a request for a transfer of funds. A variation of the scam involves compromising legitimate business e-mail accounts and requesting Personally Identifiable Information (PII) or Wage and Tax Statement (W-2) forms for employees.

 

 

Business Email Compromise (BEC) Techniques

 

1. Account Takeover

  • Threat actors obtain credentials via multiple techniques.

    • Third-party breaches

    • Password stealing malware

    • Password targeting phishing

  • Stolen credentials provide access to a company’s publicly exposed email

  • Once inside the email account, the threat actor can search for sensitive information, perform fraudulent wire transfers, and launch further phishing campaigns.

 

2. Cloned Domain: look-alike or mimicked domain

  • Threat actors often purchase available domains that look similar to the targeted organization example.com vs examp1e.com .net vs .com.

  • Threat actors also commonly incorporate elements such as legitimate looking signature blocks.

  • Threat actors entice the victim to respond and reveal sensitive information, perform fraudulent wire transfers, etc.

 

3. Spoofed Email

  • Threat actors can forge an email header (specifically sender name).

  • Posing as the source, they try to convince the victim to open attachments or click links.

 

All it takes is one susceptible or distracted user to let the bad guys inside. Security awareness training plays an essential role in creating a human firewall around your organization.

 

Only when users are fully aware of the many aspects of phishing will they be capable of withstanding even the most sophisticated attempts at CEO fraud.

 

New call-to-action

 

Teknologize is a SOC 2 certified, Professional Technology Services company with clients throughout the Pacific Northwest. We have offices located in:

  • Tri-Cities, Washington 509.396.6640
  • Yakima, Washington 509.396.6640
  • Bend, Oregon 541.848.6072
  • Seattle, Washington 206.743.0981

Questions about your IT or Cybersecurity? Give us a call today!

Have You Audited Your Apps Lately? Here’s Why You Should.

Have You Audited Your Apps Lately? Here’s Why You Should.

Our smartphones are our lifelines. They keep us connected, entertained, and organized. But our devices can easily become cluttered with so many apps...

Read More
6 Holiday Shopping Scams to Watch Out For

6 Holiday Shopping Scams to Watch Out For

The holiday season is here, bringing the excitement of discovering amazing deals during Black Friday and Cyber Monday. But while you’re hunting for...

Read More
Prevent a Holiday Tech Meltdown with Proactive IT Support

Prevent a Holiday Tech Meltdown with Proactive IT Support

Ah, the holiday season, when everything sparkles, sales soar, and your to-do list rivals Santa's naughty and nice list. For businesses, it's a time...

Read More