Skip to main content

FBI Warns of BEC Scammers Using Email Forwarding

by Chris Brook on Tuesday December 1, 2020

Contact Us
Free Demo

The FBI says scammers are increasingly abusing forwarding rules on web-based email clients to hide their activity, opening the door for a Business Email Compromise (BEC) attack.

The global shift to remote work has changed a lot of things.

One of those changes that attackers are hoping employees haven't realized is their increased reliance on web-based email applications like Microsoft Office 365 and Outlook on the web (OWA) for work email.

According to the Federal Bureau of Investigation, the agency has seen an uptick in cybercriminals deploying auto-forwarding rules on web-based email clients to gain a foothold and carry out business email compromise attacks.

Administrators may have missed a joint Private Industry Notification (PIN) on the technique, as it was issued by the FBI and DHS-CISA last Wednesday, shortly before Thanksgiving break in the U.S.

Because often times the forwarding rules of web-based clients don't sync with the desktop client, the FBI is warning the action tends to go undetected by cybersecurity administrators. Once they have access to the email and they can operate with limited visibility, the attackers can carry out reconnaissance and gather information to launch future attacks, especially the BEC variety.

Of course, much of this is predicated on the premise of an attacker getting access to an employee’s email account in the first place, something that’s become more and more plausible, especially with the lax work from home setups currently in place across the globe.

In the PIN, the FBI shared two incidents from this past summer involving BEC scammers who changed forwarding rules in the web-based emails of two companies, a manufacturing firm and a US-based medical equipment company. In the case of the medical equipment firm, attackers managed to access the network, impersonate an international vendor and trick the company into sending $175,000. Because the attackers used a UK-based IP address and the initial emails went undetected, it looked legitimate.

The manufacturing company had its email changed by attackers to auto-forward emails containing the words "bank," "payment," "invoice," "wire," or "check" to the attacker's email, something which no doubt could yield salacious, potentially damaging information.

Of course this isn't the first time the FBI has warned about attackers leveraging cloud based email services to carry out attacks.

Earlier this year it singled out Microsoft Office 365 and Google's G Suite has favorite targets of attackers. In one update it claimed its Internet Crime Complaint Center (IC3) received complaints totaling over $2.1 billion in actual losses from BEC scams targeting Microsoft Office 365 and Google G Suite between January 2014 and October 2019.

Administrators seeking more information on BEC scammers targeting should consult the FBI's PSA from April. A PIN from last November recaps how attackers are carrying out BEC attacks against construction companies by registering phony domains to impersonate vendors the companies are already in touch with.

Tags:  Email Security

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.