The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

FBI Warns of BEC Scammers Using Email Forwarding

by Chris Brook on Tuesday December 1, 2020

Contact Us
Free Demo
Chat

The FBI says scammers are increasingly abusing forwarding rules on web-based email clients to hide their activity, opening the door for a Business Email Compromise (BEC) attack.

The global shift to remote work has changed a lot of things.

One of those changes that attackers are hoping employees haven't realized is their increased reliance on web-based email applications like Microsoft Office 365 and Outlook on the web (OWA) for work email.

According to the Federal Bureau of Investigation, the agency has seen an uptick in cybercriminals deploying auto-forwarding rules on web-based email clients to gain a foothold and carry out business email compromise attacks.

Administrators may have missed a joint Private Industry Notification (PIN) on the technique, as it was issued by the FBI and DHS-CISA last Wednesday, shortly before Thanksgiving break in the U.S.

Because often times the forwarding rules of web-based clients don't sync with the desktop client, the FBI is warning the action tends to go undetected by cybersecurity administrators. Once they have access to the email and they can operate with limited visibility, the attackers can carry out reconnaissance and gather information to launch future attacks, especially the BEC variety.

Of course, much of this is predicated on the premise of an attacker getting access to an employee’s email account in the first place, something that’s become more and more plausible, especially with the lax work from home setups currently in place across the globe.

In the PIN, the FBI shared two incidents from this past summer involving BEC scammers who changed forwarding rules in the web-based emails of two companies, a manufacturing firm and a US-based medical equipment company. In the case of the medical equipment firm, attackers managed to access the network, impersonate an international vendor and trick the company into sending $175,000. Because the attackers used a UK-based IP address and the initial emails went undetected, it looked legitimate.

The manufacturing company had its email changed by attackers to auto-forward emails containing the words "bank," "payment," "invoice," "wire," or "check" to the attacker's email, something which no doubt could yield salacious, potentially damaging information.

Of course this isn't the first time the FBI has warned about attackers leveraging cloud based email services to carry out attacks.

Earlier this year it singled out Microsoft Office 365 and Google's G Suite has favorite targets of attackers. In one update it claimed its Internet Crime Complaint Center (IC3) received complaints totaling over $2.1 billion in actual losses from BEC scams targeting Microsoft Office 365 and Google G Suite between January 2014 and October 2019.

Administrators seeking more information on BEC scammers targeting should consult the FBI's PSA from April. A PIN from last November recaps how attackers are carrying out BEC attacks against construction companies by registering phony domains to impersonate vendors the companies are already in touch with.

Tags: Email Security

Recommended Resources


  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.