FBI Warning: What you don’t know about cloud-based email fraud can hurt you

A new variation of the “Business Email Compromise” (BEC) scam, cloud-based email account takeover, is becoming a threat to companies of all sizes. Since many companies have made the switch to cloud-based email, and with many more planning to do so in the near future, fraudsters have begun targeting these services via methods such as phishing emails, credential stuffing, stolen passwords, and brute-force attacks.

The cybersecurity landscape is continually evolving, and fraudsters are constantly devising new tricks to defraud businesses. Last year, I wrote an article detailing BEC fraud which exposes companies to great financial risk. If you haven’t already, you can familiarize yourself with the article here. Additionally, we recommend you read the updated FBI- Public Service Announcement on BEC released on September 10, 2019 by the Internet Crime Complaint Center (IC3), a division of the Federal Bureau of Investigation (FBI).

Fraudsters may steal your company’s confidential information or compromise the integrity of your customers’ information. Additionally, fraudsters may:

• Read your incoming and outgoing emails.
• Learn when you and your employees are out of the office.
• Learn how your company communicates via email for the purposes of imitation.
• Request fraudulent electronic payments (e.g. wires, ACH’s) to their own account.
• Instruct your customers to send payments to their own account instead of yours.
• Install malware on your computers.
• Alter your email mailbox rules so that you are unable to detect their activity.

Companies that implement the following safeguards have been found to dramatically lower their risk of falling victim to cloud-based account takeover.

1. Utilize Multi-Factor Authentication when logging in from outside the company’s network.Passwords alone are no longer enough security. Requiring users to utilize tokens or biometrics during the login process greatly strengthens security.
2. Use a unique username and password for company accounts that aren’t used anywhere else. If this information becomes compromised at other sites, fraudsters will often attempt to use the same usernames and passwords to log in to other locations.
3. Train staff to be wary of phishing emails and emails coming from people they know that suddenly display differences in writing styles. Some company IT departments even send out periodic “practice” emails to their employees to make sure employees are properly detecting red flags.
4. Look out for suspicious links or attachments. Fraudsters may embed malicious software, or malware, in links and attachments that will infect the victim’s system.
5. Utilize IBM® Security Trusteer Rapport^®. This software works alongside your antivirus software to help keep your system secure.
6. Limit administrative rights to those who need them. It is recommended to set up controls so that no single individual can affect all stages of a payment transaction and so that no employee has more access than the minimum they’ll need to properly perform their job function.
7. Keep an archive outside the email server of all incoming and outgoing emails. This will make it easier to detect fraudulent emails if they occur. Additionally, set up alerts for interruption in email archiving so that you will know if unauthorized changes are made.

SVB recommends the following steps be taken if your business suffers an attack:

• Contact your SVB Relationship Advisor immediately if you suspect unusual activity occurred on your SVB account.
• Shut down or disable access to the compromised account until it is secured with a new, secure password. In the meantime, ensure that a secure email account is listed on your SVB profile.
• As needed, consider hiring outside help with forensic investigations.
• Determine whether sensitive company data was exposed.
• Determine whether client information was exposed. If so, you may be required to notify them of the breach under federal or state law.
• Ensure your system is free from malware and viruses and that your protection software is up to date.
• Notify appropriate law enforcement agencies such as IC3 and/or your local FBI field office.

Silicon Valley Bank offers preventative tools, services, and guidance to help you mitigate your risk of fraud. Visit our Fraud Prevention Center to learn more. Be sure to view SVB’s Fraud Prevention Webcast, Understanding the Threat from Within: Internal Fraud, which also touches on this very important topic as well as addresses additional fraud prevention measures.