How cybercriminals use unwitting employees to defraud businesses

By Prof. Danny Myburgh, Managing Director at Cyanre – The Digital Forensic Lab

There are so many sophisticated ways for cybercriminals to infiltrate organisations today that it can be challenging to keep track of them – particularly when these threats are spoken about in abbreviations, such as BEC (Business Email Compromise) and MITM (Man in the Middle) attacks.

Unfortunately, while the jargon can be overwhelming, the threats are all too real, and BEC and MITM attacks are some of the most frequent we encounter in South Africa. It’s therefore worth understanding:

  • Exactly how they work,
  • Where your organisation is at risk and
  • How you can protect yourself

Business Email Compromise and Cybercriminals

Imagine what you could do as a cybercriminal with access to the correct email account (or something that looks like the proper email account). For example, you could pose as the CEO of an organisation and email the finance department to transfer funds into an account that you control. You could hack an employee’s account and send a fraudulent invoice from a legitimate supplier but with incorrect banking details. You could even pretend to be a registered vendor and send an invoice yourself, highlighting a ‘change in banking details.’

Now imagine any of these things being done to your organisation and how costly it could be if the wrong information fell into criminal hands? Even with online collaboration tools and channels gaining traction, email remains the primary way we conduct business, which means it presents endless opportunities for cybercriminals to defraud companies.

Unfortunately, BEC scams are almost elegant in their simplicity. An attacker poses as someone the recipient should trust, usually a colleague, manager or vendor. The sender then uses a seemingly legitimate reason to ask the recipient to make an electronic payment, divert payroll, or change banking details for future payments. And just like that, your organisation has been defrauded, and you don’t know how or by whom.

Unlike malware attacks, BEC attacks can be challenging to detect because they don’t use malicious URLs that can be analysed with traditional cyber defences. It requires digital forensics to trace a BEC attack that has been successful through impersonation, social engineering techniques or domain spoofing.

Here’s how a BEC attack is orchestrated:

  1. First, attackers build a targeted list of emails by sifting through LinkedIn profiles, business email databases and websites.
  2. They then set up look-alike domains and fake email names and send out mass emails.
  3. Suppose they identify a weak link, such as an employee who has not recognised the fake domain.

In that case, they will take a more targeted approach and impersonate individuals within a company (such as CEOs or other individuals within finance departments). These emails tend to have a high urgency, as attackers want their targets to respond quickly before scrutinising the request too carefully.


Cyanre recommends:

BEC attacks rely on willing (although unwitting) victims, which means that user awareness plays a crucial role in an effective defence. Education is, therefore, key. Here are the tell-tale signs that an email may not be what it seems:

  • High-level executives asking for unusual information:While most of us will quickly respond to an email from a C-Suite executive, how often do CEOs request the tax information of individual employees or request a sudden and urgent payment that wasn’t on the schedule?
  • Requests to not communicate with others: The success of impostor emails often relies on secrecy, which is why the recipient is requested to keep the email confidential and for all communications to be sent via email.
  • Requests that bypass normal channels:When a channel is bypassed (like approval processes or not insisting on the relevant paper trail), no matter how urgent the request, the recipient should be suspicious.


So, what’s the fix?

  1. First, teach your employees to be suspicious. If they aren’t sure about an email, pick up the phone or forward it to IT. No one will begrudge an employee who has double-checked a few details before sending hundreds of thousands of Rands to China.
  2. Encourage employees to trust their instincts as well – if something doesn’t seem quite right, it probably isn’t.
  3. Follow procedure and the relevant approval processes.
  4. Ensure that your company has updated policies in place to not only confirm the procedures, but to also add a layer of protection.


Man In The Middle Attacks and Compromised Data

Man-in-the-middle attacks (MITM) are also known as hijack attacks. The difference between a BEC attack and an MITM attack is that the attacker intercepts and then changes the communications between two parties who still believe that they are communicating directly with each other. For example, a supplier sends their invoice for work done, but the attacker hijacks it, changes the banking details and then sends it to the correct person.

Attackers might also use MITM attacks to steal personal information or login credentials, to corrupt data or sabotage communications.

Public WiFi networks are particularly vulnerable to MITM attacks because they usually are less secure than private Internet connections. Cybercriminals get in the ‘middle’ by compromising the Internet router and scanning for unpatched flaws and vulnerabilities. Next, they intercept and decrypt the victim’s data using various tools that are easily available on the Dark Web. All sites that require a login and any connections meant to be secured by a public or private key are susceptible to attack.

MITM attacks are not new – they’ve practically been around for as long as we’ve used the Internet for business, but these attacks remain dangerous, largely because it could be days or even weeks before an end-user notices that something is wrong. Consequently, it’s almost impossible to know, during that time, what data has been exposed to malicious actors. Again, tracing what data has been exposed and where the breach initially occurred usually requires digital forensics.


Cyanre recommends:

Fortunately, there are security measures that can safeguard your organisation from MITM attacks:

  • Awareness and education:Employees are unfortunately the weak link – they click on bad links or use their login data on a compromised website, giving hackers access to their information. Educating them around the basics of preventing MITM attacks is therefore essential.
  • Encryption, VPNs and the secure cloud:There are many levels of encryption, multi-factor authentication and security controls available today. Make sure protocols are in place that employees must follow.
  • Update regularly:Even a single point of failure can put your entire network in danger. Regular software updates are there for a reason – they identify weaknesses and patch them up.


What’s the fix?

  1. If you believe or suspect that you might have been the victim of one of these types of attacks, it is highly recommended to involve professionals to investigate.
  2. One of the most important aspects to establish is where the Point of Compromise (POC) is. This could point to a larger security risk because the perpetrators may have gained access to your organisational and private emails or even to your network.
  3. It is also very important to establish what other information the perpetrator could have gained access to or even forwarded from your corporate mail account to their mail account for nefarious purposes.