Skip to content ↓ | Skip to navigation ↓

U.S. law enforcement learned that email attackers are using auto-forwarding rules to help them to perpetrate Business Email Compromise (BEC) scams.

In a Private Industry Notification published on November 25, the FBI revealed that some BEC scammers are now updating the auto-forwarding rules in the web-based client of an email account they’ve compromised.

The FBI explained this tactic is predicated on the hope that administrators did not actively sync the web and desktop email clients of the victim organization, thereby limiting visibility into malicious activity:

While IT personnel traditionally implement auto-alerts through security monitoring appliances to alert when rule updates appear on their networks, such alerts can miss updates on remote workstations using web-based email. If businesses do not configure their network to routinely sync their employees’ web-based emails to the internal network, an intrusion may be left unidentified until the computer sends an update to the security appliance set up to monitor changes within the email application. This leaves the employee and all connected networks vulnerable to cyber criminals.

Indeed, attackers can use auto-forwarding rules to send copies of all incoming messages to an account under their control.

They can then inject themselves into conversations involving vendor payments and other financial transactions in order to perpetrate a BEC scam. This type of attack caused $1.7 billion in losses in 2019, according to the FBI’s 2019 Internet Crime Report.

The FBI went on to add that a system audit might not pick up on the auto-forwarding rules if it doesn’t audit both the desktop and web-based clients.

Subsequently, email attackers could maintain access to a compromised account’s emails even after a financial institution or law enforcement has warned an organization that they might have been a victim of a potential BEC attack.

News of this technique highlights the need for organizations to defend themselves against business email compromise attacks. They can do this by following these best practices.