The U.S. Federal Bureau of Investigation has issued a new warning that hackers are currently targeting users of Microsoft Officer 365 and Google G Suite in so-called business email compromise attacks.

The warning, issued via a Private Industry Notification March 3, noted that the scams were costing U.S. businesses billions of dollars, according to a March 6 article in Bleeping Computer.

“The scams are initiated through specifically developed phish kits designed to mimic the cloud-based email services in order to compromise business email accounts and request or misdirect transfers of funds,” the FBI said. “Between January 2014 and October 2019, the Internet Crime Complaint Center (IC3) received complaints totaling over $2.1 billion in actual losses from BEC scams targeting Microsoft Office 365 and Google G Suite.”

BEC attacks are not new, but they have continued to multiply thanks to the potential rewards for the hackers behind them. As opposed to a simple hack, BEC attacks take some effort because they involve those behind them impersonating an email account owner to defraud the targeted organization.

In February the government of Puerto Rico had $2.6 million stolen in a BEC attack after an employee account was compromised. Those behind the attack posed as the employee and sent emails to various government agencies stating that bank account details had changed. The BEC attack was detected only when an employee at Puerto Rico’s Employee Retirement System asked why money that was meant to be transferred hadn’t been received.

James McQuiggan, security awareness advocate at security training firm KnowBe4 Inc., told SiliconANGLE that with the billions of dollars that are being stolen from organizations through the BEC scams, organizations should implement several technological and human element security measures to protect themselves.

“From a technology perspective, implementing verification of domains by using DMARC configuration in the mailserver allows the organization to request the domain to be checked for validation before allowing the email in the inbox,” McQuiggan explained. “The Sender Policy Framework configuration in the mailserver to authenticate the sender’s email address and finally using encryption of the headers prevents man-in-the-middle attacks with the DKIM or Domain Key Identified Mail.”

For people, he added, “having a robust security awareness program that educates employees to be aware of the red flags and spot fake emails is important. You should also check the email address, and verify the user by specifically asking yourself if you were expecting the email. Trust but verify is a good way to make sure you don’t fall victim to any email scams.”

Finally, he said, “within organizations that are setup to send money to vendors or suppliers, have procedures in place and do not rely solely on email for account changes, payments or financial changes. Using a verification method, with multiple parties and based on a tiered payment system can help reduce the risk of money being scammed by criminals.”

Photo: J/Flickr