Q. We are seeing an increase in the notification from our Suppliers that their systems, data, email accounts have been compromised or breached. We have implemented a quarantine protocol that involves blocking payments, blocking incoming invoices and reverting to verbal communication only until the Supplier can provide some sort of proof that the threat has been managed. This protocol continues to evolve as more of these types of threats are encountered. What are others doing to protect themselves from this type of exposure while managing the Supplier relationship?
(Answer provided by third-party specialist Chris Boesch [[email protected]] from TrustedSec.)
TrustedSec’s recommendation to our clients that have or had a business email compromise (BEC), is similar to what you have mentioned, is to enable multifactor authentication (MFA) on all accounts, and establish an agreed upon playbook for changing invoice payments. Implementing MFA on all users email accounts will drastically reduce the number of successful compromises. User should be informed that they will never be asked to provide the MFA key over the phone. The playbook would include a list of known people responsible for making such changes from both companies, an outline of a procedure to follow to make these changes, and a verification step. To reduce the risk of the attacker social engineering this procedure the agreed upon playbook should be stored somewhere outside of email.
The purpose for having a list of known contacts is to use that as a form of out of band verification. Caller ID can verify the source of a phone call, although this can be easily spoofed, it is a convenient and readily available verification method. If for any reason the requester attempts to change the agreed upon contact number verify the change with one of the other contacts. The contact list should be reviewed or updated on a yearly basis and parties should be notified when staffing changes have occurred.
An example of the list of known people:
- Company ACME ( Supplier )
- Sandy Doe – (404) 867-5309 ext 101 – Primary Contact
- Steve Doe – (404) 867-5309 ext 102 – Secondary Contact
- Scott Doe – (404) 867-5309 ext 103 – Backup Contact
- Company XYZ
- John Smith – (678) 776-2323 ext 1103 – Primary Contact
- Jose Smith – (678) 776-2323 ext 1119 – Secondary Contact
- Jerry Smith – (678) 776-2323 ext 1203 – Backup Contact
The primary focus of the playbook is to establish an out of band form of communication to which both parties can independently verify the request. Email communication cannot be 100% trusted because the attackers have full access to the compromised email account and its history. The attackers have been known to include parts of previous conversations in the body of the email to trick the recipient into trusting the email. The attackers will also craft the email to look like others that have been used in the past. Included below is an example of a procedure utilizing multiple verification steps.
Example Procedure (Company ACME initiates change in bank routing):
- ACME Primary contact sends an email to all parties stating that a payment change is requested.
- The email should not include the payment change information just a notice of a request change.
- If any contact from ACME or XYZ believe the email to be fraudulent each person should be contacted by phone immediately and local security should be informed of a possible email compromise.
- If an email is received without the other contacts. Report possible fraudulent activity to a contact other than the one that sent the original request.
- ACME Primary contact to call XYZ Primary to verify validity of the request
- The verification process works best if the two parties have spoken before and can easily recognize the other by the sound of their voice
- ACME provides, verbally, the last 4 digits of the existing banking account and the last four digits of the new banking account
- This step is used as verification. The requester knows the previous account and provides the recipient with a way to confirm the new routing information.
- ACME Primary emails XYZ with routing information
- Include at least the primary and secondary contacts from each company.
- Email should only include the new routing information.
- Emails could be generated using a template.
- The template then can be used as another form of verification.
- If the email varies from the template then report possible compromise
- XYZ Primary contact to call ACME Primary to verbally verify change
- XYZ Primary emails ACME confirmation
- All contacts should be included
- Should also be a template response
Even the most thorough and best-implemented protections can be bypassed by a skilled and determined attacker. Whoever is implementing these recommendations can reduce the risk of compromise by increasing the complexity of the fraud prevention procedures out of the range of the attackers. Most BEC attackers are after an “easy score”. They will compromise a system setup forwarding rules, review previous emails, send malicious requests, monitor responses, and collect payment. Then they get out of the picture as soon as possible!
More resources for O365:
(Additional answer provided by the IOFM Advisory Panel)
I have only seen the letters and emails trying to change the banking info. If I receive one of those I immediately call the Supplier (using the phone number we have on file or from their website) and get verification that they indeed changed their banking relationship.