The Business Email Compromise (BEC) scam is one of the simplest and most damaging attacks businesses can face with losses ranging from hundreds to millions of dollars. According to the Federal Bureau of Investigation (FBI), losses due to BEC scams since 2013 total around $28 billion dollars and it is the most profitable cybercrime there is. An effective response to a BEC scam involves a tight response timeline to (hopefully) recover lost funds and mitigate the damage. That’s where the value of a BEC Incident Response Plan (BEC-IRP) really shines.

The Basics of a BEC Incident Response Plan

A BEC-IRP is probably an appendix to your Cyber Incident Response Plan (CIRP). Ideally, you’ve already defined what constitutes an incident, when to escalate activity, and identified your crown jewels (systems and information). The strategy for the BEC-IRP isn’t to redo everything but to address areas where the CIRP doesn’t include the right response. In a BEC incident, you’re almost certainly going to be handling a combination of:

• wire transfers or other financial losses;
• compromised sensitive information, such as employee or customer data;
• potential email server and data breaches of unknown size; and
• branding and reputation issues

Like any other incident response plan, you should state the purpose of the BEC-IRP clearly. Unless you’re in a special situation, it can be as simple as stating:

“The Business Email Compromise Incident Response Plan (BEC-IRP) documents the strategies, personnel, procedures, and resources required to respond to a BEC incident. Response priorities are to simultaneously: 1) halt and recover any transferred funds or information; 2) determine if and remediate any internal compromises that occurred and take steps based on the CIRP to resolve.”

BEC-IRP Section 1: Preparation

Preparation is the key to responding to BEC incidents in a fast manner, which will increase the chances of recovering lost funds and information.

Within the BEC-IRP Preparation section, consider addressing the following questions:

• Who has what roles and responsibilities during the incident? If the incident involves the transfer of large sums of money, will the Chief Financial Officer (CFO) assume control? Does a member of the finance department have to contact the bank and request the transfer be stopped? Who else can? Is there a way to directly contact the employee after hours if it’s an emergency? After determining roles and responsibilities, make sure everyone is aware of and trained on their components.
• What is the company policy regarding individuals and customers as victims? We learned this was critical when a variant of the BEC emails was changing the direct deposit information of employees. Originally, these attacks began as phishing emails that compromised employee credentials. Nonetheless, later variants branched into tricking members of the human resources (HR) and financial departments into making the changes for an executive. Will you accept the business loss and provide a new paycheck or decide it’s the employee’s fault? The False Invoice variant also requires a clear understanding of how a company will address losses.
• Will you contact law enforcement to request assistance? Law enforcement has had successes in the BEC arena, including multiple arrests in the United States and overseas. Law enforcement also has experience dealing with BEC matters and working with banks, which may increase the likelihood of recovery.
• If you have cyber insurance, will it cover some or all BEC incidents?

BEC-IRP Section 2: Identification

Unfortunately, identification of a BEC incident is difficult to automate. Instead, it requires training personnel to detect unusual requests and to always verify financial requests through a second channel. Training and education for employees, especially those in HR and finance, will help with the identification of potential BEC messages. Additionally, adding a banner or warning to external emails can make it easier to detect spoofed phishing attempts. In addition, enabling Domain-based Message Authentication, Reporting & Conformance (DMARC) can help block some attempts.

Your escalation procedures for BEC may be slightly different than for malware or other incidents. In this section, consider who (cybersecurity or financial teams) will have the incident lead. The answer might change depending on the type of BEC incident that occurs. For example, the financial teams will probably have better information regarding financial incidents while cybersecurity teams will likely have a better response to breaches and data exfiltration.

If your escalation procedures include notifying law enforcement to request assistance, you will want to know which agency to contact first. Often, the FBI, United States Secret Service (USSS), state police, and larger municipal departments have detectives with valuable intelligence on how to respond. The FBI immediately triages BEC reporting by keywords. If the incident meets the thresholds, a Special Agent is notified.

BEC-IRP Section 3: Containment

Due to the nature of BEC incidents, containment may not be the responsibility of the cybersecurity staff. However, regardless of who is responsible for containment, your BEC-IRP should include information about how to retrieve any funds sent via wire transfer or payments made to the wrong account. When that occurs, the FBI recommends also requesting a “reversal as well as a Hold Harmless Letter or Letter of Indemnity.”

Gift cards are notoriously difficult to cancel once malicious actors receive the gift card number and pin. However, you should still contact the issuer right away. They may be able to help you cancel the cards.

In the Account Compromise and Data Theft variants, containment should follow existing CIRP procedures.

BEC-IRP Section 4: Eradication

As BEC incidents frequently do not include malware, the eradication process may be limited to any procedures appropriate for the Account Compromise and Data Theft variants. It should follow existing CIRP procedures for email server/account compromises and data exfiltration. Keep in mind that if an Account Compromise occurred and auto-forwarding rules were implemented on the mail server, it’s possible that other sensitive or protected information was also compromised.

BEC-IRP Section 5: Recovery

BEC incident recovery, outside of the Account Compromise and Data Theft variants (which are covered under the CIRP), is often limited to financial tasks involving the recovery and/or re-budgeting to accommodate the missing funds. One of the most critical components for recovery is identifying financial contacts in advance, but keep in mind that the recovery section of the plan may be more appropriately moved to take place before the eradication section as it can be very time sensitive.

The FBI-developed Financial Fraud Kill Chain (FFKC) has shown multiple successes in helping victims recover funds. It is available through all local field offices, should you choose to report the incident to law enforcement. Through the FFKC, the FBI is able to activate the resources of the Financial Crimes Enforcement Network (FinCEN). This includes contacts with banks and international law enforcement in order to stop the withdrawal of cybercrime funds. The FFKC can be implemented if the wire transfer is for more than $50,000, is international, a Society for Worldwide Interbank Financial Telecommunications (SWIFT) recall notice has been issued, and the transfer occurred within the last 72 hours. Access is through your local field office or through BEC reporting at IC3.

BEC-IRP Section 6: Lessons Learned

Following up after the incident with a lessons learned review and the identification of compensating access controls is an important final step for BEC incidents because once a company is identified as susceptible to BEC incidents, malicious actors may attempt similar techniques in the future. While drafting this part of the BEC-IRP, make sure to include the financial and HR departments in any discussions.