skip to Main Content

Business Email Compromise Remediation

0720-21_Alliant-Cybersecurity-Blog-Business Email Compromise Remediation-01

Business Email Compromise or BEC may seem to be a relatively new threat vector, but it has been active since the onset of the last decade. BEC is a specialized phishing scam in which an attacker impersonates or compromises a business email account and tries to manipulate an employee or vendor to transfer a large amount of money or share sensitive information.

The average cost of a BEC attack was about $80,000 in 2020, a 48% increase from 2019’s average. Added to that, BEC accounted for half the cyber scams reported in 2019 by the FBI, with a whopping $1.77 billion in damages of a total $3.5 billion.

The key to responding to a BEC attack is a two phased approach. First you must response to the event and put the fire out. Second, you must recover and diagnose what sparked the fire in the first place so that you can correct those behaviors that caused the event. Unfortunately, most IT teams and providers respond but they are unfamiliar with recovery best practices. That is why 80% of businesses that have a cyber event, have repeat offenses. Our strategic team at Alliant cybersecurity can help in both areas to formalize an immediate and effective response and recovery solution.

In case your company has been a target of a BEC attack, here are the immediate remediation steps:

  • Change the Password!

The first and the most crucial step to be taken after finding out that your email has been compromised is to change the password.

  • Identify and Block the IP Address

Post attack, it is imperative that the IP address of the attacker is identified and blocked immediately so that the attacker cannot launch more attacks from the same machine/IP address.

  • Perform Dark Web Scan

Often data breaches are targeted at stealing sensitive information and publishing/selling them on the Dark Web marketplace. If you think you have been attacked, perform a Dark Web scan to identify exposed credentials immediately. Further, perform a Deep Dark Web search on the domain of the organization.

  • Deploy Multi-Factor Authentication

Even though MFA is a security best practice and should be deployed for critical applications and those containing sensitive data , if you have found data or credentials being compromised, deploy MFA for all your accounts so that if a malicious actor tries to log in through your credentials again, they will have to bypass an extra layer of security. MFA can also remediate future credential harvesting attempts.

  • Run Forensics

After establishing that your organization has been attacked, it is time to engage your security teams to run forensics on the attack and identity the source and method of the attack.

  • Review Logs

After the forensics are in place, review the logs from the email server to search for anything unfamiliar. Additionally, perform a detailed review of the active directories to spot any inactive or unfamiliar accounts.

  • Analyze Compromised Emails

It is also essential to analyze the phishing email which caused the attack. Perform a header analysis of the compromised email sample.

  • Perimeter Security Check and Email Server Hardening

The last step is to close all the backdoors. Perform a perimeter security check as well as harden the email server to prevent future attacks.

How will Alliant Cybersecurity help you?

Alliant Cybersecurity will publish an initial report within 24-72 hours with our findings: Why, who, what, where, when, and how this attack happened. Our team will also assist you with:

  • Selecting tools to secure and strengthen your infrastructure;
  • Assistance in mediating with law enforcement agencies and insurance providers; and
  • Training for your workforce to avoid future attacks.

Get the Alliant advantage today! Contact us for a general consultation or reach out to us through our hotline number for a cyber-emergency.

Back To Top