Business Email Compromise (BEC) has plagued companies for years, yet many small businesses continue to assume they are powerless against these attacks. This misconception could not be further from the truth. Today, robust tools and simple best practices exist that can significantly secure your inbox—and your bank account—at minimal cost and effort.
Recently, WatchPoint IT was called in to handle a particularly inventive email compromise case, highlighting the increasingly creative tactics scammers employ to monetize compromised accounts. Traditionally, attackers hijack emails to trick internal teams or clients into altering ACH or wire transfer information, redirecting payments into fraudulent accounts. Fortunately, most finance teams have become wary, routinely double-checking transactions.
However, attackers are constantly adapting.
In this recent incident, the attack began innocuously. The user received an expected email from their landlord about an updated lease agreement. The timing was perfect—the company was actively renegotiating their lease. Unfortunately, the landlord’s email account had already been compromised by the attacker, who patiently monitored conversations before inserting themselves seamlessly into the dialogue.
The unsuspecting user clicked a malicious link, believing they were securely logging into their Office 365 account to view the updated lease. Behind the scenes, the attacker employed Evilginx, a sophisticated man-in-the-middle attack that bypasses Multi-Factor Authentication (MFA) by intercepting credentials directly through the user's browser. Instantly, the email account was compromised without raising immediate alarms.
Typically, compromised emails lead directly to financial theft. However, this scenario had an unusual twist—one we had never personally encountered before. With the user's credentials, scammers breached the user's LinkedIn and Indeed accounts (the same username-password combination, unsurprisingly) and started posting fraudulent job openings on the company’s behalf.
Before long, "new employees" were hired remotely, believing they had genuinely secured employment. Neither the landlord nor the compromised company had any idea that their systems and identities had been exploited. The attackers cleverly concealed their activities, creating automated rules to quietly redirect and hide their communications.
These newly hired "employees" were informed they needed special equipment to start working remotely. To make things seem legitimate, the scammers mailed each new hire a convincing check for $13,500, instructing them to deposit the funds and use their personal credit cards to purchase the equipment through a provided link.
The unsuspecting new hires eagerly deposited the checks, promptly bought the equipment, and waited. But of course, the purchased equipment never arrived, and the checks ultimately bounced, leaving these victims financially devastated and confused.
Remarkably, the compromised company initially remained oblivious. It wasn’t until these confused and frustrated "new hires" began repeatedly contacting the company’s front office that suspicions arose. Initially dismissed as spam, the receptionist eventually escalated the unusual calls to management. Only then did the tangled web of deception begin to unravel.
WatchPoint was brought in for remediation, uncovering the full extent of the breach and helping the company clean up and secure their digital environment.
The sobering reality of this incident underscores how critical pro-active email security measures are. MFA alone, while important, is no longer sufficient due to sophisticated threats like Evilginx. Businesses must consider additional layers of protection, including automated monitoring systems that detect and lock compromised accounts, third-party identity providers, or a strategic combination of both.
Ignoring these precautions because you believe it "won't happen to you" could be costly. Don’t wait for an incident like this to hit your company; act now to secure your business, protect your employees, and maintain your reputation.
Remember, cybersecurity isn’t just about technology—it's about vigilance, preparedness, and taking threats seriously before they become your reality.
