Business email compromise: What can be learned from the Norfund attack

Sponsored Falling for an impostor’s email is easier than you might think. The recent attack which saw Norway’s state-owned investment fund, Norfund, lose an eye-watering USD 10 million (approx. 100 million NOK) was down to a simple but devastatingly effective tactic used by cybercriminals: a spoofed email address.

From that, scammers fabricated payment information and directed cash into their own account. In a statement, Norfund said the incident is still under investigation, though it acknowledged “that our existing systems and routines were not secure enough.”

These attacks, known as business email compromise (BEC) work because they prey on human nature, the innate psychological traits shared by everyone. Using social engineering attacks, cybercriminals trick employees so they can steal credentials, siphon sensitive data, reroute pay checks and fraudulently transfer funds.

Last year, 86% of organisations reported BEC attacks, and the latest FBI reports show that companies reported losses of $1.7 billion in the U.S. alone last year. Cyber risk is increasingly top of mind with executive boards and it’s not hard to see why: cybercriminals are now targeting people and making millions in the process.

A close cousin to BEC is Email Account Compromise (EAC) attacks, where the goal of the attacker isn’t just to impersonate you—it’s to become you. The attacker will take over a user’s email account using various tactics like password spray, phishing, and malware. Once they gain access to the account, the possibilities are endless. They have access to see how the victim interacts, what vocabulary they use, who they email regularly and can therefore craft very convincing and timely messages to trick the target.

You cannot just protect against BEC and be protected from EAC. BEC and EAC are so complex and difficult to prevent because attackers are smart and adapt to the environment, leveraging multiple tactics to get inside an organisation. They're coming through the web or your supply chain by using your business partners or even your customer's legitimate domain.

The trouble is, telling the difference between authentic emails and an impostor’s scam is not always easy and employees across all job levels and functions can put your business at risk. Whilst BEC and EAC attacks may amount to a simple case of professional identity deception, the underlying issue is the lack of cyber security awareness amongst the global workforce.

As detailed in Proofpoint’s State of the Phish Report 2020, a significant number of workers worldwide have little to no understanding of cybersecurity basics: only 61% understood the term phishing, nearly one in four people who receive a phishing email open it, and more than 10% click on the malicious link or open the weaponised attachment. What Can Be Learned from the Norfund Attack BEC and EAC attacks are equal-opportunity scams.

They target organisations of every size and people at every rung of the corporate ladder and are difficult to detect and prevent, especially with legacy tools, point products and native cloud platform defences. They don’t use malware or malicious URLs that can be analysed with standard cyber defences.

Fortunately, it’s never too late—or too early—to start developing a strong defence strategy. Because these attacks focus on human frailty rather than technical vulnerabilities, they require a people-centric defence that can prevent, detect and respond to a wide range of BEC and EAC techniques. Here are some recommendations for security teams to consider:

• Address BEC/EAC holistically: BEC and EAC are intertwined with each other. If you’re only protecting against BEC and are not addressing EAC, your organisation is exposed.
• Implement DMARC: The Domain-based Message Authentication Reporting and Conformance standard is the first and only email authentication technology that can make the From address that users see in their email clients trustworthy.

  Implementing DMARC is an effective way to protect against domain spoofing and to prevent fraudulent use of your trusted domain. DMARC also provides domain visibility that will prevent any fraudulent or brand-damaging emails from being sent using your domain.

• Block all access to suspicious websites: Attackers often use phishing techniques to compromise email account. Make sure you block all access to suspicious sites that may be stealing end-users’ credentials.
• Implement adaptive controls for those at risk: First, you need to know who is at risk to your organisation. Once you have the visibility into your human attack surface, you can then implement adaptive controls for those who are vulnerable to BEC/EAC attacks.
• Train your end-users: These attacks target people. You must educate your end-users to identity deception tactics and phishing attempts. It’s also crucial to train them on creating strong passwords to reduce risks of EAC.

Whether it is impostors posing as trusted colleagues, or increasingly convincing phishing emails and malicious links, it is end-users who are on the frontline in the battle against cybercriminals.

That’s why a people-centric strategy is a must for organisations. This starts with identifying your most vulnerable users and ensuring they are equipped with the knowledge and the tools to defend your organisation. Along with technical solutions and controls, a comprehensive security awareness training program must sit at the heart of your cyber defense.

Cybercriminals are focused – forever honing their skills and techniques. If you’re not doing the same, there can only be one winner, as Norfund unfortunately found out.

Sponsored by Proofpoint.