The FBI recently issued an alert about a new tool that cybercriminals are using in business email compromise (BEC) scams. Find out what this new tool is and how cybercriminals are using it.
In February 2022, the US Federal Bureau of Investigation (FBI) issued an alert about a new tool that cybercriminals are increasingly using to carry out business email compromise (BEC) scams. These scams are highly personalized attacks in which cybercriminals pose as an executive, supplier, or another trusted business associate to con companies into giving them money (usually via wire transfers) or sensitive data (e.g., bank account numbers).
Cybercriminals use a variety of tools and techniques to carry out BEC attacks, including phishing emails, email account hijacking, and social engineering. Lately, they have been adding another tool to their BEC scam toolbelt: virtual meeting platforms. The number of BEC scams using these platforms has been on the rise over the past last two years, according to the FBI.
The reason for this increase is evident. “Criminals began using virtual meeting platforms to conduct more BEC-related scams due to the rise in remote work because of the COVID-19 pandemic, which caused more workplaces and individuals to conduct routine business virtually,” stated the alert.
How Virtual Meeting Platforms Are Being Used
Cybercriminals are using virtual meeting platforms several different ways in their BEC scams. For example, some scammers are using virtual meeting platforms to attend workplace meetings so that they can collect information about companies’ daily operations. The cybercriminals often get the information needed to attend these meetings from compromised employee emails.
In more sophisticated BEC attacks, the scammers pretend to be a CFO or another high-ranking company official. They send a spoofed email or an email from the CFO’s hijacked account to the finance department’s staff members requesting that they attend a virtual meeting. In the meeting, the scammers insert a still image of the CFO with either no audio or a deepfake audio clip, claiming that their video and audio feeds are not working properly. The scammers then use the virtual meeting platform’s chat function to instruct employees to initiate a wire transfer. Alternatively, the scammers send these instructions in a follow-up email that is spoofed or sent from the CFO’s hijacked account.
Sometimes, the cybercriminals simply use virtual meetings as an excuse. Pretending to be a high-ranking company official such as a CEO, the scammers send a spoofed email or an email from the CEO’s hijacked account to an employee in the finance department. The scammers tell the employee to initiate a wire transfer because they are attending a virtual meeting and therefore are unable to do so on their computer.
What Your Company Can Do to Prevent BEC Attacks
To prevent your company from becoming the next BEC victim, you should consider performing some or all of the following security measures:
- Let your employees know about BEC scams. Be sure to cover how cybercriminals carry out these attacks, including the tools and techniques they use (e.g., phishing, virtual meeting platforms). Being aware of how BEC scams are carried out is one of the best ways to avoid falling victim to them.
- Show employees how to spot spoofed emails. Cybercriminals often use spoofed emails in BEC attacks, so show them how to check the “From” field for deceptive email addresses.
- Do not use free web-based email accounts (e.g., Gmail) for business email accounts. Digital con artists often target businesses that use these accounts.
- Set up two-factor authentication for business email accounts. That way, these accounts will be more difficult to hijack.
- Do not allow the use of legacy email protocols (e.g., POP, IMAP, SMTP). Cybercriminals can use them to sidestep two-factor authentication.
- Block the ability to automatically forward emails to external email addresses. This will prevent cybercriminals from forwarding company emails to their own accounts.
- Set up two-factor authentication for the virtual meeting platforms being used. In addition, take advantage of the platforms’ security options.
- Do not post virtual meeting links or IDs on publicly available websites such as your company’s website or social media sites. Plus, review your company’s website to make sure it does not include other types of information (e.g., email addresses) that scammers could use to carry out BEC attacks.
There are other security measures that your company can take to protect against BEC scams based on your email software, virtual meeting platform, and IT infrastructure. We can assess your systems and go over your options.
Laptop Security flickr photo by Infosec Images shared under a Creative Commons (BY) license
