Hubris Caught the Instagram Star: Business Email Compromise Security Guide
Here are four email security hacks you can learn from the Hushpuppi saga, such as practicing sound social media judgment and ensuring your customers and supply chains are equally secure.
Ramon Olorunwa Abbas, a.k.a. “Ray Hushpuppi” is alleged by the Federal Bureau of Investigations (FBI) to have conspired to launder hundreds of millions of dollars through business email compromise frauds and other scams.
In a video published on Dubai Police’s Instagram, officers working in “Operation Fox Hunt 2” stormed into Hushpuppi’s home and arrested him as he slept, in a series of coordinated raids against him and other co-conspirators, namely Olalekan Jacob Ponle, known as Woodberry. Both Mr. Abbas and Mr. Ponle have now been both extradited to the US and charged in a Chicago court. The pair have not yet been asked to plead and are presumed innocent until proven guilty.
Hushpuppi flaunted his wealth on social media. What personal information are you employees giving away?
Tackling Business Email Compromise
The Hushpuppi saga has received a great deal of attention in recent days, likely due to the Instagram personality’s ostentatious lifestyle. As we know, this case was an outlier: most cybercriminals seek to fly under the radar not only to ensure success, but also to avoid authorities’ watchful eyes.
So why is that business email compromise attacks have become so popular and successful?
The answer is that email – where business email compromise originates – was never designed with security in mind yet has become the default mode of important internet communication between organizations and global business leaders. There have been some security updates to the email standards, e.g. DMARC & DANE but adoption of these are still in its infancy.
Employees are busy and it’s no surprise that human error is involved in 95% of all cyber breaches, which seriously undermines technology-based efforts to defend against spear phishing, supply chain impersonation, virus ransomware and a whole host of other threats. Lapses in judgement cost organizations significant time and money but too many security teams are looking solely for a technical solution to what is largely a human problem.
Here’s four security tips to remember for combatting business email compromise attacks:
1. Use sound judgment on social media platforms.
How much information are you and your employees giving away on personal social media accounts?
The Hushpuppi case is a prime lesson here for your employees. The FBI has highlighted how the alleged schemers unwittingly provided crucial information about their identities, addresses and activities for American detectives with their Instagram and Snapchat posts.
Cybercriminals can use similar techniques to monitor your employees’ movements and help personalize attacks. Invoices fraud can be timed when particular executives are a long-distant flight and knowing their interests can help design pitch-perfect lure.
Security awareness training is important here. Traditional programs consisting of do and don’ts slides can easily be boring and fail because employees become disengaged and do not understand or care enough to change their behavior. Effective training needs to be regular and fun to make a lasting and positive impact.
2. Take a layered approach to email security.
Don’t trust any one single vendor or service to block all inbound attacks, whether on-premises or in the cloud.
The most prevalent phishing attacks are untargeted emails that attempt to trick employees into handing over valuable information or download malware. Malicious payloads can be hidden within email attachments pretending to be invoices, CVs or other business documents.
Make sure your secure email gateway is re-writing links in email to combat time-delayed phishing attacks, where payload sites are only activated after an email has been delivered. Attachments also need to be checked for known and unknown malware using AV, file analysis and sandboxes.
We are now seeing many more targeted attacks that use advanced techniques to spoof named employees or supply chain partners. These attacks usually use freemail accounts or registered similar domain names that the victim will trust.
Many of these phishing emails do not include malicious links and attachments. Instead, Impersonation fraud (Business Email Compromise) attacks often trick people into making financial payments or send confidential data. It’s these social engineering attacks that often are hardest to detect and easily penetrate traditional primary layers of security defenses.
Ensure you have specific defenses against these types of attacks and include specific training using real examples targeted at your company.
3. Protect your customers and supply chains with DMARC.
Tools that extend beyond the company’s security perimeter, such as DMARC protection, can help companies identify when their brand is being abused by impersonators seeking to exploit customers, employees and partners.
DMARC, when used in conjunction with other DNS authentication capabilities such as DKIM and SPF, can help stop attackers from spoofing or hijacking the email domains of trusted senders, thus effectively taking away one method attackers use to fool their intended victims.
The threat of business email compromise attacks on your supply chain is heightened during extended periods of remote work. For example, it’s now much harder to walk over to the financial director’s desk and confirm a payment to a supplier.
DMARC can sound complicated at first but it’s easy to started with monitoring and then move towards quarantine and reject as you gain confidence and skills.
4. Risk score your employees.
Evaluate which employees have regular access to confidential data or personal identifiable information (PII) to help you target additional training. Explore training data, sentiment surveys to provide scoring and predictive analytics around the human side of cybersecurity.
With personalized cyber risk score assigned to every employee, you can understand which end users pose the greatest risk and even better, do something about it. Combined with your threat intelligence program, you can then focus time and resources on the weakest areas.
Training should be both frequent and consistent, and as social engineering tactics become more advanced among cybercriminals, business email compromise training should be a recurring item in security awareness training.
Want more great articles like this?Subscribe to our blog.
Get all the latest news, tips and articles delivered right to your inbox
You will receive an email shortly