Happy Holidays! Here’s your Business Email Compromise (BEC) gift card scam
Deck the hall with sad employees, Fa, la, la, la, la, la, la, la, la!
‘Tis the season to be swindled, Fa, la, la, la, la, la, la, la, la!
I am not too proud to admit that I was a victim of Business Email Compromise by being duped into buying gift cards for my “CEO” for the holidays. As a professional in the security industry, it becomes even more difficult for me to come to terms that I actually fell for one of these social engineering attacks. You get inundated with phishing awareness training and think that you are smarter than the attackers but somehow… you recoil in horror when you realize that you, too, are ‘Dave’, the embodiment of human error:
You see: the dilemma is that I spent my whole career trying to encourage organizations to adopt products that protect them from users like ‘Dave’. Whether it is a multi-factor authentication (MFA) solution or a phishing simulation product, I have done countless customers calls trying to convince them that they cannot rely on their users to do the right thing.
We all think that we are above our natural human instincts: that we are somehow better, smarter, faster than the malicious actors who are trying to take advantage of our very visceral reactions.
Guess what? I am here to tell you: WE ARE NOT.
People will continue to make mistakes: to click on links, to respond to fake CEO emails, to give out sensitive information, to download executables unsuspectingly. In a very lovable way, we are conditioned to trust others and that is where the problem lies:
BEC compromise works because it exploits our basic human instincts to follow authority. This is especially true during the holidays when people are in merrier spirits and are more willing to help out customers, fellow employees, and especially authority figures. While the typical BEC compromise usually targets someone in HR/Finance as they have the sensitive financial information, attackers have gotten more sophisticated and found creative ways to target and groom other personnel in an organization: like me. BEC gift card scams work like a traditional BEC scam:
But instead of a wire transfer or a document containing sensitive financial information, scammers will request the unwitting victim to send over images of the back side (with the pin exposed) of a gift card to the person of authority. The scammers will then cash out the gift card before the unsuspecting victim has any idea what just happened.
Here are some tips from the FBI on how to protect your employees against BEC gift card scams during the holidays:
Look at the email header of the sender. Keep an eye out for email addresses that look similar to, but not the same as the ones used by your work supervisors or peers (abc_company.com vs. abc-company.com).
Be wary of requests to buy multiple gift cards, even if the request seems ordinary.
Watch out for grammatical errors or odd phrasing.
Notice language that tries to pressure you to purchase the cards quickly.
Finally, be wary if the sender asks you to send the gift card number and PIN back to him.
Don’t rely on email alone. Talk to your CEO directly.
Human error will never go away and will always be the weakest link in information security. While the FBI gives good advice to the end user on how to deal with a potential BEC gift card scam, we cannot simply rely on the end users to protect against BEC attacks. There needs to be a more automated solution, based on modern technology, that can circumvent human error.
In general, my philosophy towards information security is to take an approach that reduces the amount of human decision-making. We need to stop relying on the end user (or even the administrator) to do the right thing. With advances in machine learning and other tools that can help protect against risky activities, organizations should always leverage security products that remove burden and decision making. Tools that allow auto-remediation or active enforcement should always be prioritized over products that could introduce more human error.
For example, machine learning and analytics have made it completely easy to detect anomalous behavior. When an intelligent solution is deployed into an organization’s network, it can start tracking the behavior of the users and accounts and see what normal behavior looks like. Based on that risk profile that is created, they can tell what behavior is normal and what isn’t. It would have to take an email security solution with visibility and real-time remediation capabilities to stop this particular BEC compromise from happening as referenced in this blog.
The steps as outlined by Proofpoint are applicable to every security product. Most notably, customers need to take into account three critical steps in protecting against malicious actors:
Getting Visibility: In order to understand what is going on in your organization, you must first start out with visibility of all threats you may face. This requires you to gain insights into all users, accounts, and access activities within your network and continuously monitor which accounts may have the potential to be compromised. Reducing risk is the easiest way to reduce the attack surface and prevent compromised credentials. Find a solution that lets you see all identities across your organizations so that you can have a single source of truth.
Detecting Threats: Getting visibility is not enough if you do not have the context to be able to detect suspicious activities or risky behavior. Gaining deeper context with network traffic, and data sources (such as VPN gateways or SSO) allows for more robust behavioral analytics and risk scoring. With an intelligent view of user and account activity in your network and cloud applications, you can not only spot risky users but also protect against the use of reconnaissance and attacks tools such as MimiKatz, Powershell, PsExec, and Bloodhound. Real-time threat detection helps reduce false positives, identifies specific attack tools, and enhances the investigative and threat hunting process.
Auto-Remediating in Real-Time: Lastly, visibility and detection mean nothing if you can’t block or remediate risk when you see it. While no security solution on the market is able to prevent all attacks from occurring in your environment, having a solution that is able to preempt risky activity in real time with an adaptive response (such as block, alert an administrator, or step up authentication) to verify identity or prevent a threat will take the burden off your SOC team, help stop breaches, and mitigate further damages.
Let’s stop acting like we can change human behavior and just let technology work for us. That’s just some holiday advice from yours truly.
Posted by Monnia Deng on December 24, 2018 9:21 AM