Business Email Compromise (BEC) has been around for a long time. In a BEC attack, the cybercriminal sends a spoofed email that appears to come from someone within the recipient’s company, usually the CEO or another authority figure. The email typically contains urgent instructions to wire money to a particular account immediately, or to release sensitive information. If the recipient follows the instructions without verifying them through a separate channel, the money will be wired directly – and conveniently — to the cyberthief’s account.
According to the FBI, BEC attacks cost businesses worldwide an estimated $26 billion between 2016 and 2019.
And now, there’s a new twist on this old scam. The FBI recently issued an alert about cybercriminals who are now leveraging virtual meeting platforms to update BEC scams.
Virtual Meetings and BEC
The business world pivoted to virtual meeting technology to keep up during the pandemic and now there is no going back. Cybercriminals have followed, and are continuing to devise new and innovative ways to leverage virtual meetings to abet their attacks. The FBI alert described three ways that cybercriminals are using virtual meetings for BEC scenarios: Fake meetings, spying on real meetings, and using virtual meetings as an excuse.
Fake Virtual Meetings
Using a compromised email account, typically belonging to either the CEO or CFO, the attacker will instruct an employee to log in to a virtual meeting, in which the hacker uses a picture of the exec, either without audio or with “deep fake” audio. Posing as the CXO, the attacker will claim that his video and/or audio isn’t working correctly and will ask the employee to initiate a money transfer via chat or in a follow-up email. Since the employee first learned of the request in a virtual meeting, they are less likely to view it with suspicion than if they only received an email request.
Deep fake audio is a new fraud concern. The technology uses a voice sample (often obtained from a YouTube recording of a CEO’s presentation at a conference) and artificial intelligence to create entirely new messages using the exec’s voice and speech patterns. One of the first instances of deep fake audio being used for a criminal application was discovered last year, when an employee received a phone call from someone they believed was the company’s CEO (sure sounded like them) with instructions to close out an account and send $243,000 to a different account. The employee dutifully followed the “CEO’s” instructions and wired the $243,000 right to the fraudster’s account.
Spying on Real Meetings
Using compromised employee emails, cybercriminals have also inserted themselves into legitimate meetings on companies’ virtual meeting platforms in order to collect information that can be sold, used in insider stock trading or other fraudulent use. The information collected may also be leveraged for BEC, ransomware, or other cyberattacks.
Virtual Meetings as an Excuse
Sometimes a virtual meeting is simply used as part of the ruse. In this variation, the attacker sends an email spoofed to seem as if it is coming from someone important, such as the CEO. The “author” of the email claims to be in a virtual meeting that they can’t interrupt and asks the recipient to help them out by executing a funds transfer that needs to be done right away.
Protecting Against Virtual Meeting Related Fraud
The FBI alert contains several recommendations for protecting yourself and your organization from this new threat, most of which involve employee training and alerting employees to the danger. Unfortunately, user training has been proven woefully inadequate at stopping cybercrime. Even trained users will often fall for a sufficiently sophisticated spearphishing attack.
Oddly enough, the FBI warning makes no mention of risks that are linked more directly to virtual meeting use. These may include intentional or inadvertent sharing of confidential data via chats or screenshares; exposure of internal IP addresses via meeting web portals; and malware delivery via weaponized chat attachments or infected web portals.
The best way to protect against virtual meeting enabled attacks is to adopt a Zero Trust security approach, as the US Federal Government recommended last year in an Executive Order on improving the nation’s cybersecurity.
There are numerous ways that a comprehensive Zero Trust-based solution, such as ZTEdge, along with appropriate policies, can help protect against these attacks:
- Virtual Meeting Isolation (VMI) protects against hackers using malware to surreptitiously join or record virtual meetings. It also disables active elements in any files transferred during a virtual meeting, so if a hacker managed to get into the meeting, they would not be able to deploy malware. Hazards on malicious websites whose URLs are shared in chat are similarly disabled.
- VMI includes policy-based controls that can selectively restrict screen sharing in virtual meetings, and display or attachment of specific files, data categories or even PII formats. These restrictions minimize the potential for exposure of sensitive data in the event that an unauthorized person accesses a meeting.
- Requiring all virtual meetings be conducted using VMI can stop employees from clicking through to an external virtual meeting platform just because someone sent them an invitation.
- Web Isolation protects against credential theft by opening suspicious sites in read-only mode and makes it less likely that a criminal will be able to login and misuse an employee’s email or virtual meeting account.
- Setting financial policies that transferring funds cannot be done based on an email alone would stop many BEC attacks from succeeding.
The coronavirus pandemic that drove workers out of their offices and online from remote locations opened a world of opportunity for cybercriminals. Attacks that leveraged remote access vulnerabilities, including attacks via virtual meetings, skyrocketed – and remain sky high. As cybercriminals step up their game – including by deploying AI-driven tools such as deep fake audio – businesses need to step up their cybersecurity game right along with them. Large organizations are well on their way to implementing a Zero Trust security approach via large scale Secure Access Service Edge (SASE) platforms. ZTEdge enables small and mid-organizations to do so as well, with a comprehensive platform that is right-sized, modular and easily managed.