Business Email Compromise Case
Type of Attack: Business Email Compromise (BEC)
Company Size: 120 employees
The President of the company began to notice some irregularities with his emails. Specifically, clients and customers would mention they had emailed him, but he hadn’t received the emails. These messages often dealt with company finances, making it a serious matter. The CEO reached out to his Managed Service Provider (MSP) to investigate. The MSP found some suspicious email forwarding rules and removed them.
However, about a month later, the CFO received a phone call from a customer saying she tried to wire money to the company, but it didn’t go through. The CFO wasn’t expecting payment until the following week. The customer received an email from the President asking the money to be wired that day but supplied different wiring instructions. The customer tried to wire the funds, but the transfer failed, which prompted the CFO from the sending company to contact the construction company. It turns out there were other email forwarding rules still in play that were well-disguised to look like standard directories. They can (and were) missed by the MSP a month prior. The attacker would have gotten a hold of $100,000 had the wiring instructions not contained an error.
What We Did
We identified all of the forwarding rules the attackers had set up and tried to disguise, and removed them from the system. We also contacted the company that had attempted to send payment to let them know what had happened. We gathered the original email from the company to determine that the email was spoofed from a mail server of yet another breached company. We took extensive measures to harden the company’s email service, such as multi-factor authentication for all email users.
A main concern the company had was determining whether or not the attackers had gained access to anything other than email. We conducted a thorough investigation of their onsite computers, networks, and servers. Fortunately, we were able to validate that this was an isolated incident, providing the peace of mind the company sought.
Remediation for an attack requires cybersecurity expert help in order to be certain that 1) All threats have been removed and 2) The attacker has not infiltrated other areas of the organization.