Opinion
How to protect your organization from BEC scams in wake of SVB collapse
You don’t have to be an SVB client to fall victim to a scam riding the tech bank’s collapse. Attackers are quick to integrate the financial catastrophe into their BEC scams. This is how to protect your organization
Failure is an opportunity, which isn’t always a good thing. The recent collapse of SVB, and the imminence of additional banks facing a similar fate as a result, are failures that are also BEC (Business Email Compromise) scamming opportunities - and scammers didn’t wait long to try and reap the easy profits. Such scams are prevalent because they're relatively simple to deploy and easily dupe victims, but it is possible to prevent them, or limit their damage.
BEC, or business email compromise, is a phishing attack where an attacker spoofs or compromises an email account, uses it to send a seemingly legitimate request for funds to be deposited in his account, then disappears. For example, an attacker could email masquerading as a supplier, asking for money due on their recent shipment or a downpayment on the next one. To achieve that, the attacker first gathers intelligence, including the identity of the victim’s suppliers and employees who have access and permissions to make payments, the nature of the correspondence between them and the typical volume and frequency of the transactions. The attacker then needs to use social engineering or computer hacking to compromise or spoof an email message from the supplier asking for the money from the employee, or fake an email from the employee to the company’s accountant or bank. Some attackers go as far as to create business entities with names similar to those of the supplier, while others don’t even bother, relying on lax procedures and gullible employees.
So when Silicon Valley Bank was no longer operational, BEC scammers were quick to integrate it into their stories, and reports of actual attempted attacks have popped up on social media. Martin Fisher, a CISO, wrote that “The amount of BEC/phish attempts coming to our Accounts Payable trying to get us to re-route payments to vendors as a result of the SVB implosion is mind-boggling.” Peter Bronez of U.S. Intelligence related venture capital firm In-Q-Tel posted: "I got an email from a company saying basically 'we banked with SVB, so we're using a new bank, here are the new routing numbers.'” Bleeping Computer reported that “\[a\]n attack already seen in the wild is from BEC threat actors who are impersonating SVB customers and telling customers that they need payments sent to a new bank account after the bank's collapse.”
Even before SVB, BEC attacks were very popular. A Secureworks report claims BECs have doubled YoY in 2022, dethroning ransomware as the most common financially motivated cyberthreat to organizations. The 2022 Internet Crime Report by the FBI’s Internet Crime Complaint Center (IC3), counts almost 22K BEC attacks (up 9.5% YoY) amounting to over $2.7 billion in adjusted losses (up 14.4% YoY). Since IC3 only counts attacks on which it received complaints, the actual number is higher.
How to prevent BEC attacks
Implement stricter payment procedures. Tell your financial team to double check every bank account details changed. Add verification steps, such that any and all requests for payment or changes to bank account information require out-of-band communication with a designated person, and a dual signature, in order to be approved.
Inform your bank and relevant payment service providers that you are enforcing changes to your payment procedure, and will now require authentication via out-of-band communication, including the bank that cleared the transactions.
Get the legal department to issue notification to substantial suppliers/customers about the new procedures for changes to the payment process.
Consider sending an email campaign to your suppliers/customers telling them about the dangers in BEC attacks and how they should avoid them.
What to do following a BEC attack
Initiate an IR investigation and make sure the hacker is locked out of your systems. Find out which email account was compromised. If you find none, there’s a good chance that your counterparty’s inbox was compromised. Change password to all affected email accounts, and add multi-factor authorization.
Were you the one paying? If so, try to approach the receiving bank and ask them to freeze the transaction and refund you. Consider involving your insurance company to cover the damages if your policy covers it.
Find the attack surface and vector - when and how the attacker entered your email system, did they use an email account they took over, compromised several email accounts or the entire email system, or gained wider system admin privileges. Check what else the attacker was doing inside your network - change configurations, send other emails, create new accounts, install a backdoor, etc.
Interview employees relevant to authorizing payments to find out whether they noticed any abnormal behavior, suspicious indicators, fraudulent claims, unusual requests, or experienced phishing attacks.
Dr. Nimrod Kozlovski is Partner & Co-Founder, and Ido Kenan is VP Content, Cytactic