[Webcast Transcript] Anatomy of a Business Email Compromise

Editor’s Note: This webcast brings together some of HaystackID’s top experts to dissect the intricacies of Business Email Compromise (BEC) attacks—a rapidly growing threat impacting organizations globally. During the presentation, HaystackID’s cybersecurity and information government experts guided attendees through the phases of BEC attacks, from early reconnaissance and attack execution to exploitation, highlighting the vital steps for prevention and recovery. Attendees walked away from the webcast with actionable insights to bolster their organization’s security posture, from implementing robust employee training to having the proper controls to using multifactor authentication. Read the full transcript to learn how to strengthen your organization’s security posture.


Expert Panelist

+ Shawn Belovich
Senior Vice President of Digital Forensics and Cyber Incident Response, HaystackID

+ John Brewer
Chief Artificial Intelligence Officer and Chief Data Scientist, HaystackID

+ Kevin Golas
Managing Director, HaystackID

+ Nate Latessa
Executive Vice President of Advisory Services, HaystackID

+ Michael D. Sarlo
Chief Innovation Officer and President of Global Investigations and Cyber Incident Response, HaystackID


[Webcast Transcript] Anatomy of a Business Email Compromise

By HaystackID Staff

During the recent webcast, “Anatomy of a Business Email Compromise,” HaystackID’s cybersecurity and information governance experts gave a comprehensive overview of the business email compromise (BEC) threat landscape, beginning with a breakdown of the phases involved in these attacks. HaystackID’s Shawn Belovich, John Brewer, Kevin Golas, Nate Latessa, and Michael D. Sarlo guide attendees through how BEC attacks unfold, from initial reconnaissance to actual exploitation. Each phase is dissected, showcasing common techniques like phishing, spoofing, and social engineering, alongside actionable steps organizations can implement to bolster defenses.

A major takeaway from the webcast is the importance of employee training, multifactor authentication, and maintaining strict security controls. The experts emphasize that while simple measures like password updates and email monitoring are foundational, ongoing vigilance and incident response plans are essential. They discuss the increasing sophistication of BEC attacks, particularly with the rise of generative AI (GenAI), which enables attackers to create highly convincing, tailored phishing schemes. This evolution underscores the need for continuous security education, robust monitoring, and up-to-date cybersecurity protocols. The expert panelists shared real-life case studies to illustrate how even seemingly minor breaches can escalate into significant financial losses, legal challenges, and reputational damage. In particular, the panel addresses the critical role of third-party vendors in these incidents, pointing out that an attack through a compromised vendor’s email can ripple through an entire organization, causing extensive operational disruptions and financial losses.

Read the full transcript for security best practices, including deploying managed detection and response services, implementing email security solutions, establishing clear response protocols, and engaging legal support early on during incidents.

Transcript

Moderator

Hello everyone, and welcome to today’s webinar. We have a great session lined up for you today. Before we get started, there are just a few general housekeeping points to cover. First and foremost, please use the online question tool to post any questions you have, and we will share them with our speakers. Second, if you experience any technical difficulties today, please use the same question tool, and a member of our admin team will be on hand to support you. And finally, just to note, this session is being recorded, and we’ll be sharing a copy of the recording with you via email in the coming days. So, without further ado, I’d like to hand it over to our speakers to get us started.

Michael D. Sarlo

Thanks so much, Mouna. Hi, everyone, and welcome to another HaystackID webcast. I’m Michael Sarlo, your expert moderator and lead for today’s presentation and discussion, “Anatomy of a Business Email Compromise.” This webcast is part of HaystackID’s ongoing educational series designed to help you stay ahead of the curve in achieving your cybersecurity, information governments, eDiscovery, data, privacy, and everything data goals. We are recording today’s webcast for future on-demand viewing. We’ll make the recording and a complete presentation transcript available on the HaystackID website. Check out our learning library on the HaystackID website. We do these presentations several times a month, and there’s a wealth of information up there on so many different topics, so really encourage anybody to go and check that out. I’m looking forward to presenting today alongside my colleagues as we guide you through the anatomy of a business email compromise attack and strategies your organization can deploy to detect and prevent BEC attacks. But before we jump in, I’m going to ask each speaker to introduce himself. Shawn Belovich?

Shawn Belovich

Hi, everyone. I’m Shawn Belovich. Thank you for joining us today. I’m a Senior Vice President of Digital Forensics and Cyber Incident Response here at HaystackID. I’ve been in the digital forensic space for about two decades and have worked in boutique firms to support high-profile matters such as Deepwater Horizon litigations. Eventually, I worked my way to the White House in 2013 and served until 2018 as a deputy chief information security officer. I managed the records management, information governance, forensics, eDiscovery, cybersecurity, insider threat, and data loss prevention teams. Ultimately, I was responsible for all electronic data, so anything you would see on the news was my team behind the scenes doing the investigations. I can honestly say it’s like operating under the world’s biggest spotlight. Since the White House, I’ve been a partner in large global consultancies as a subject matter expert in forensic investigations, eDiscovery, and cybersecurity. Now, focusing on business email compromise, what’s my role? Generally, I’ll be the first or one of the first calls from my clients or councils. I’ll get some sort of narrative like, “One of our employees clicked on a link,” and then we can fill in the blank, or “We had a fraudulent payment go out.” From there, I will assure the client or council that everything will be okay, and then we’ll proceed to engage the appropriate teams. I’ll oversee the matter lifecycle which, as you will see later in the presentation, could be small in scope or extremely complex. So again, thanks for being here today, and I’ll turn this over to my colleague, John Brewer.

John Brewer

Thanks, Shawn. I’m John Brewer. I’m the Chief Artificial Intelligence Officer and the Chief Data Scientist at HaystackID. I’ve been in the data and AI space since the late ’90s, and I worked in a variety of different roles before landing in legal. I worked in data migration for SAP and ARP systems for eight or nine years. I went and worked in IT for years after that, both for other people and at my own firm. I landed with HaystackID about almost 10 years ago now, where we were one of the first organizations to bring Slack into the eDiscovery fold. Something that’s now a key component of any collection that you see happening today is those collaboration apps. And I’ve been honored to continue keeping HaystackID at the forefront of collection capabilities and being a le to deal with basically any data type that comes down the road. Then, of course, in the past two years, also having front row seats to the GenAI revolution and being able to shepherd both our organization and really the industry into kind of a new age of tooling and capabilities. And as Mike mentioned, we have a number of other talks about that in our knowledge base that you can go and look at online once we’re done with this presentation if you’re interested in that. So I’m going to pass this on to my colleague, Kevin.

Kevin Golas

How are you doing? I’m Kevin Golas. I’m currently the Managing Director of Cyber Advisory Services here at HaystackID. Before that, like my colleagues, I’d been in the industry for about 20 to 25 years doing cybersecurity forensics, risk management, and data compliance. I’ve worked at companies like T-Mobile, helped them start their investigations and fraud practice, went to Grant Thornton, and helped them start their cybersecurity and risk management practice as well. And then, I’ve gone most recently to OpenText to help them start their cybersecurity division, including managed detection and response, business email compromise like we’re going to talk about today, and managed security operations centers as well. On to you, Nate.

Nate Latessa

Thanks, Kevin. Nate Latessa, I’m the Executive Vice President of Advisory Services here at HaystackID. I started my career about 22 years ago in the eDiscovery space and started one of the early eDiscovery companies. After running that for about six or seven years, I decided to pivot my career and focus more on information governance. I started to see how poor data hygiene and lack of classification lead to increased costs, litigation, and risk. I really wanted to get closer to information at the point of creation, not at the end of litigation. I started working for various software companies. I created my own software company and ran that for several years and again, with the goal of helping companies understand where their critical sensitive data was and how to reduce their attack surface. So, in the event of a breach, you can limit the blast radius.

Today, I find myself kind of straddling both worlds on the IG side and the cybersecurity side. I’m often brought in when there is a breach to help the incident responders understand where pockets of sensitive information are and how best to respond based on that. I’ll turn it over to you, Mike.

Michael D. Sarlo

Thanks, guys. So I’m Mike Sarlo. I’m HaystackID’s Chief Innovation Officer and President of Global Investigations and Cyber Response Services. In my role, I work closely with HaystackID’s operational leaders, software teams, our data science teams, and really just anybody doing anything that touches data in the organizations to craft solutions that allow legal teams to act on data types, typically not conducive to collection, review, or production in the context of eDiscovery. I work with clients on the most challenging and complex regulatory, investigative, and civil litigation matters. By way of background, I’m a digital forensics examiner with EnCE, a CBE, and I am an RCA. I’ve done it all. I’ve managed large-scale eDiscovery teams. I started our digital forensics practice here at HaystackID. I also oversee HaystackID’s Cyber Discovery and Incident Response Services, a cross-functional team of experts that regularly assist insurers, breach coaches, and our victims who are often like corporate clients responding to a breach along various components to that on the DFIR side. Today’s topic is on a business email compromise, so BEC is basically the simple thing that happens: somebody gains access to some type of threat actor or gains access to an email account at varying levels of depth. This is done via a combination of social engineering-like techniques. It can be as simple as a password found on the internet, and two-factor authentication is not enabled on an account. And so there’s a myriad of ways that these attacks begin. Sometimes I think when folks think of a BEC, they think of it as a smaller attack, but they have a tendency to sometimes be the gateway to much larger and very costly attacks. And so, that’s something we’ll be talking about today, and here’s the agenda as well. We’re going to talk a little bit about the pre-attack phase. This is the reconnaissance phase. How are attackers identifying and selecting targets? When you think about cybersecurity and the threat actor landscape, there’s a whole means of production and a business. These are many different groups that do many different things that are highly specialized, and they work together oftentimes in various marketplaces to accelerate access to an organization’s data. And so, you’d sometimes find that the folks who gained access to your account initially may not be the ones who are exploiting you. We’re going to talk about the attack phase.

How are these actually executed? This is going to be things like spoofing attacks, phishing emails, malware insertion, and text messages. Everybody’s getting a ton of fraudulent text messages lately that try to get you to click on links. The next thing you know, you’re entering some credentials. Well, I hope nobody on this call is doing that. Maybe they will mirror your email, or it’s another account. So, this account exploitation is a key element when considering a BEC. However, they’re rather specific for email, so we should really be thinking about how our accounts are generally exploited, which brings us to the post-attack phase, which is exploitation. How do folks make money? There’s a fund transfer. You might get tapped into… I’m sure everybody gets a weird email that says, “Hey, I’m from a spoof-like CEO email. Please, I need some Starbucks gift cards.” That’s a very small version of it. Usually, we see much larger sums happening. Data exfiltration and data shaming are the most common modalities for extortion on the most large scale, like ransom events. In the event that a ransom event or a BEC turns into a ransom event, you oftentimes see large quantities of sensitive data. It’s extracted from the network. They sometimes will ransom you and lock your files. But the big threat is that data is being exposed on the dark web. And we’re going to talk about that, and then we’ll wrap up with some key takeaways. That figure definitely increases with the global impact of over $55 billion in exposed losses from 2013 to 2023. As we’re seeing here, there was a 9% increase in identified global exposed losses from December ’22 to December 2023. You’re going to see this increase significantly. This is largely due to generative AI being used in social engineering to make foreign actors appear much more like the person they’re trying to impersonate.

We could have a whole presentation on deepfakes and whatnot, but generative AI has given these dangerous threat actors a lot of capability to target many different organizations in mass. So it makes them look more lifelike and act and sound that way via email. It also gives them much more firepower to hit multiple organizations, accounts, and individuals simultaneously. So you’ll see this go up. Our data shows that 95% of losses related to a BEC were between a few hundred bucks and a million dollars, so a million dollars sometimes a single email account. And I always like to point out there’s a difference, I think. We talk about the cost of an exfiltrated record in any organization during any cyber incident. Non-healthcare organizations, somewhere between about 150 and $175 per exfiltrated record. Staggering. This includes all the incident response, closing the lab, the technology-like solutions, the public relations, dealing with the lawyers, that’s when the costs really start to balloon, dealing with the data mining, dealing with the notifications, and the mining of sensitive data, all those regulatory issues. When you’re in a healthcare setting, that balloons to somewhere between $450 to about $475 per exfiltrated document. And for some reason, organizations in the US tend to have much higher losses than those folks in Europe. Nate, would you like to discuss some of the organizational disruptions we see here?

Nate Latessa

Sure. I think, I mean, any breach is obviously going to be disruptive, but for business email compromise, I mean, number one, it’s going to severely disrupt your organization’s operations by infiltrating your email system, deceiving employees into executing fraudulent transactions, like Mike said, leaking sensitive data potentially, or compromising financial assets. So, I mean, this will obviously interrupt normal workflows within the organization and the business. It will drain financial resources because of the resources required to respond and recover from this. One of the things that’s probably the hardest to quantify is what harms your customer’s trust that you’re protecting their data and information. It’s really tough to quantify what the dollar amount of that is. And so, from a recovery standpoint, this email compromise always often requires extensive recovery efforts to repair compromised systems and obviously all the costs and everything else and the disruption to your business continuity that goes along with that.

Kevin Golas

For the types of business email attacks, I think the one pretty much everyone knows is phishing emails. I’m just going to walk through each one of these attacks, give you a basic definition of it, and then give you an example of it just so we can highlight the different attacks because it’s kind of amazing. Everyone thinks about phishing email attacks, but as you can see, there are a lot more attacks that are associated with emails, kind of the attack vector, but then what is their purpose for actually getting into that email or that person’s email to be able to accomplish X, right? So phishing emails involve saying a fraudulent email that appears to be from a legitimate source to trick the recipients into revealing sensitive information. For example, you receive an email that looks like it’s from your bank asking you to verify account information by clicking on a particular link. As Mike talked about, there’s a lot that is actually kind of going down into the text messaging. I can’t tell you how often friends or family have told me, “Kevin, do you think this is a malicious attack?” And I’m like, “Did you order anything from UPS?” “No.” “Then, I wouldn’t click the link because it probably is,” right? So it’s just amazing to me how a lot of people just don’t even really think about what is being asked of them, and most of them would actually click on it without even thinking twice. So phishing emails are probably the most prevalent out there, kind of casting a wide net. There’s a spear phishing email that is a little bit more targeted, kind of looking for that particular focus into that company or that individual in the organization, and they’ll personalize that email to make it a little bit more convincing.

An example would be an attacker sending an email to the company pretending to be the CEO. So, the CEO might email the CFO asking to transfer funds to a new account or open up a new one. It seems legitimate. You’ll be surprised how you would think the CFO would call the CEO to validate. I’ve seen up to, like Mike was talking about, up to a million dollars and more. We’ll walk through one of the case studies a little bit later in the presentation, transferring funds without actually picking up the phone call, just doing it from an email that they received, which would’ve been out of the ordinary, but still transferring those funds and making that transaction happen. Account compromise: it’s a more specific type of business email compromise where attackers will gain unauthorized access to an employee’s email. So, like Mike was talking about and Nate were talking about compromising that email account of the CFO, of the CEO, or even a manager of the accounting system to be able to then kind of utilize that account that they’ve taken over or they’ve compromised to send fraudulent emails to try to also make sure that their attack is going to come from an insider email if you will. Then, vendor email…

Michael D. Sarlo

Let me just jump in real quick right there, too. And so, sometimes, it’s not just internally in that organization. In fact, many times, we start seeing finance accounts go down. It is emails that go out from that email account to all of the victims, like customers that they impersonate. These account compromises can be very dangerous because all of a sudden, they turn into 3,000 emails that go out from an accounting inbox asking all of your customers to pay bills or send money X, Y, and Z there. So they’re very effective. Go ahead, Kevin.

Kevin Golas

Yeah, like the next one, the vendor email, you just talked about it, Mike. And to give you an example of that, I have a… For a two-year period, there was over $120 million that was victimized. It was $120 million. I think the person got caught, served, was five years in jail, and had to pay back a total of $75 million. So, that leaves $45 million of actual benefit from that person using that vendor email compromise. As I said, he did it over a two-year period. To Mike’s point, it’s not only internal. It’s also known that vendor management, or that a third party asking for vendor A to send it to vendor B, and then vendor B is the actual attacker itself. And then, there are other ones, like payroll diversion, right? The attacker gains access to an employee’s payroll portal and changes the direct deposit information and/or their bank account for where their pay stubs or payments will go. You have CEO fraud. It’s another business email compromise where the attacker impersonates a high-ranking executive, as we discussed earlier in spear phishing. But this is actually a CEO, so it sends, and we’ll go through that and have an example of that as well. Still, an attacker sends an email to the finance department pretending to be the CEO to give wire instructions to send to a fraudulent account. Then the other one I wanted to talk about is attorney impersonation. Believe it or not, there are actually attorney law firms out there. They will pose as the law firm. There might be a high-profile case or a case in the news. What they’ll do is they’ll actually pose as that legal representative of that law firm, have them transfer the funds to a different law firm or to a fake law firm, and that’s what they’ll do. They’ll do an attorney impersonation. The last two are data theft and trying to get into a person’s emails to compromise and steal customer information. Then, I think malware attacks, different malware attacks, and ransomware attacks are probably pretty much widely known, but a lot of those start from actual business email compromise.

Michael D. Sarlo

And sometimes these folks are really lying and waiting, right? They may gain access, and they gain access in an undetected manner, and they sit for a very long time. They might be really watching communications in M&A deals. That’s where we sometimes see things go a little nuts, such as an account may have been compromised, or sometimes they see there’s an M&A deal going on. All of a sudden, money starts getting sent all around to different shareholders and things like that. They insert themselves into the mix. And I would say, in general, law firms and consulting firms are huge targets for threat actors, right? They’re looking to gain access to these organizations in particular.

Shawn Belovich

Mike, I’ll piggyback off of that quickly. You mentioned that threat actors are basically hiding and sitting. I could not agree more. I’d also say that they’re often hiding in plain sight once a threat actor makes their way into an email chain with a spooked email. I’ve seen occasions where they’ve been on emails for months back and forth to your point, so when we say hiding, sometimes they’re hiding in plain sight. They’re right there in front of our clients. So, I just thought that was an interesting point.

Michael D. Sarlo

Totally. And they’re collecting access to other systems. Go ahead, John.

John Brewer

Yep, no worries. So yeah, now, we just want to talk a little bit here about exactly what you’re talking about, the pre-attack phase, the reconnaissance of the targets, and it’s important to understand that there are two broad categories here when an attacker is identifying the target. There are occasionally attacker groups who will target specific organizations. For instance, a political campaign or a very large major corporation that they know that they want to infiltrate, that they want to affect, they want a target, they want to perform some sort of malfeasance against, but much more often and the risk that presents to the much larger population of people is opportunistic attacks. The malware actors and the attackers, in this case, don’t particularly want to put in a huge amount of effort if they’re in it for the money. And so, what they’re going to be doing is they’re going to be looking at other breaches, other data leaks, leaked credentials, and things like that anytime somebody opens up their organization to an attack. That’s why you see all of these badly crafted text messages and emails go out, as Kevin mentioned earlier. To a certain extent, you will capture a couple of people, but also, they sort of self-select for people who aren’t necessarily paying attention either because they don’t have a lot of experience in the particular domain the message is talking about. They get a message saying that a shipment was made. They’re not in shipping. They don’t handle shipping for the organization, but they think, “Okay, maybe my phone number ended up on some shipment, and I need to go look at this so I can route it correctly internally.” That’s enough to get that person into the chain.

Once those weak points in the organization have been identified, that is now an identified target. The attackers follow up. They research. They use public information from corporate websites, social media, LinkedIn, Bloomberg, and all kinds of the various places around which we leave information about ourselves and our organizations. Once they’ve identified employees that they’re interested in, they can go into that individual’s Facebook accounts, Instagram, TikToks, and whatever else is out there. This is why you get cybersecurity training about how to act on social media. It’s because once a threat actor has zeroed in on you, anything you have, whether it’s business or not, can be part of their collateral. They’re going to be gathering information. They’re going to be learning about you. They’re going to be looking to see whether your usernames on those organizations match them in other locations. They will look at leaked password lists to see whether or not they can get credentials from them. It is also critically important to understand that nobody is immune to this. Even if you’ve received the best training, even if you live and breathe, even if you’re a cybersecurity professional who does this day in and day out, everybody has moments where they aren’t paying attention, where they are distracted, or they’re not fully engaged with what they’re doing. That is just the opportunity for a threat actor to identify you as a weak point in the organization and for you to become a focused target. And once you’ve become a focused target, it’s much harder to get out of that train. So, Shawn, do you want to talk a little bit about the anatomy of an execution here?

Shawn Belovich

Yeah, absolutely. So when we look at actually how the execution happens, you have very, I would say, simple, more generic like spoofing for example. It’s where attackers can create email addresses that look nearly identical to the actual email address, and you just take a look at a capital I next to a lowercase l, for example. They look nearly identical, so it really feels like in the situation, you can really make an email address look nearly… Even to experts, they look nearly identical, so that’s spoofing. They do the same with domains across the board. Phishing emails, I think phishing emails at this point; everybody has seen tons of them. We know what they are. I would say with GenAI and the like, they’re getting much, much more authentic looking. They do make you think. So phishing emails will remain honestly one of the biggest ways to execute a BEC and then obviously, malware. As Kevin alluded to earlier, malware is there. It will always be prevalent when you click or download that attachment, it will go to town and do what it’s meant to do.

John Brewer

If I could just jump in there real quick, the phishing emails, I think, have a connotation of being like for a 419 style, broken English, just kind of crazy emails. Once somebody has been identified in the organization as being impersonated in one of these business email compromises, it is very easy for somebody to find a copy of their signature, of their email signature, put it on an account that looks almost identical to theirs and start sending out emails as that person. And it can be very difficult for somebody who is receiving that email unless they’re paying very, very, very close attention to distinguish between the true user and the attacker, especially if the true user’s email is already outside the organization like executives that are using their G Cloud or their Google emails for business purposes that are already getting flagged as being outside the organization anyway. We have repeatedly seen incidences of just very small changes in a domain name being used to impersonate somebody that otherwise has the same signature with the same font, with the same name, and all of those other attributes the same. So phishing emails are not just like, as we said, trawl phishing. You can have spear phishing attacks where you have very, very good doppelgangers of actual people, and that’s how these BECs continue to operate.

Michael D. Sarlo

Yeah, and those phishing attacks might also be combined with a phone call. I mean, the impersonation is getting that good, right? Somebody says, “Hey, this is so-and-so from Bank of America. There’s been an account compromise. Please give us your password.” They already have access to your computer or your account. This is how sophisticated these are becoming, so you need to be careful. I’ve had some calls where, “Hey, we see you’re a registered blah, blah, blah voter,” and it just doesn’t sound right. And so be very careful about these cold calls that you’re getting. Sometimes they should raise hairs on your neck if you’re doing certain computer activity at the same time or mobile phone.

John Brewer

We can see a fund transfer or other kinds of exploitations that are ending up in these as a result of these attacks. Fund transfer is kind of the most direct way of materializing these or monetizing these attacks. And usually, it just comes as an email from a trusted source changing a piece of bank information. Sometimes it doesn’t even come with an invoice. They know who a vendor is. They frame it as just a normal, “Hey, we’ve changed our bank from here to there. Here’s our new information. Please send all invoices going forward to this information.” Usually, that will be a bank in some overseas location where it would be very, very difficult to reverse transactions or otherwise cancel out anything after the fact. If it’s a domestic transfer, there are usually some actions you can take legal, financial, or otherwise to get that money back, but once it’s in Hong Kong, you’re probably never going to see those dollars again. Then, data exfiltration and shaming. Mike was just talking about this earlier where we have sensitive data that goes out on the internet. These are usually the data breaches that you hear about in the news where somebody’s customer records, health records, insurance records, school records, or some other huge pot of information about the public gets out onto the internet. It’s kind of a dual attack vector in that one, it’s a huge reputational impact for whoever gets hit, and it can be an enormous legal impact. Usually, after something like this goes out, you have a whole bunch of legal organizations who are going to be downloading the data, they’re going to be contacting the people in that, and there’ll be a class action suit or a bunch of class action suits following up after something like that. That works to the attacker’s advantage because the attacker knows that the victim knows that that’s how this is going to go down. And they kind of come to the victim and say, “Okay, you don’t have to go through this enormous legal activity, and you don’t have to go through all these class actions, and nobody has to know about this if you pay the ransom.” An organization that is looking down the barrel of spending $100 million on legal costs versus paying $3 million to this attacker, you can understand why or what the incentive there is for an organization that has already been hit.

Michael D. Sarlo

And I think it goes beyond that, beyond the legal bills, right? Because it’s their customers usually. It’s their data. It’s somebody else’s data that you’re the custodian of many times, not always, depending on the nature of the victim’s business, but there’s that reputational harm when your data is going to be dropped on the net. And somebody might say, “Well, hey, we’re a huge customer of yours. Why didn’t you pay this ransom? Why didn’t you pay them?” And so, it’s very tricky to navigate for organizations, for sure.

John Brewer

Yeah, no, absolutely. And in the US, the FBI does try to provide guidance on how you should handle that, but obviously, every organization makes its own choices on how they’re going to handle that. Now, the follow-up problem with a data dump like that, especially if it’s things like passwords or user information or password hints or anything like that, is that follow-on attacks can happen. This is why one of your little training or know before classes or whatever will tell you never to use the same password on two different sites because if it gets broken on one site, it can get broken on another. And, in fact, there are tools out there that attackers can use to not only try your password on other sites but to go out and try variations on your password. If all you’re doing is on each site, you change a number in your password, they’re going to be able to target that. The reason that they can do that, and cutting back to our earlier slide, is because once you have been identified by these phishing emails, by these mass text messages, once you have been found as a link in that chain, they’re suddenly not having to run 50,000 passwords for everybody on this list of a million passwords broken. They just have to find your password and then try 10 million different variations of it in order to get into your account. So that’s the second danger that really comes from these data exfiltrations and data shaming attacks when we’re talking about user data being exfiltrated. And then, threats of dropping data-

Michael D. Sarlo

I’m going to give a shameless plug, but we have technology that’s proprietary to us: Protect Analytics, which is designed not only to detect sensitive data and pre and post-breach sets from a PII standpoint, a PHI standpoint, but also will detect things like credentials and encryption keys and things like that. And that’s a blind spot, I think, in the industry for post-breach response, and we find passwords all the time in large data sets, and it’s something that once you tell the CISO, they’re very happy, but in general, it’s not standard care with the way that certain vendors are engaged to do that type of sweep on the exfiltrated set.

John Brewer

No, absolutely. Good point, Mike. And then, of course, the threat of dropping data on the dark web, which you’ve already touched a little bit on Mike in terms of the reputational damage it does to an organization and damage to relationships between customers and vendors and organizations and the public and organizations and regulators. It’s just bad times all around. Do you have anything you want to add there?

Shawn Belovich

The one thing I wanted to talk about, John, as you went through the exploits and the like is not every BEC, not every company is equal, right? So a small company can be hit with a BEC and get a $10, $15, or $20,000 fraudulent payment. That happens every day, probably every minute of the day, every single day, right? Then, you have big companies that are going through much larger. So sometimes I think it’s important to realize that even the small companies get hit with what industry it looks like as a small payment or a small issue could be very impactful for these companies as well. So with that, I’m going to pivot here to our first case study. I’m just going to give a quick summary. So Maire Tecnimont is headquartered in Italy, and this is interesting. It’s a combination of BEC attacks. So in this situation, a Chinese-based threat actor group spoofed the company’s CEO and convinced the India-based entity to wire funds to support an acquisition. In this situation, threat actors actually went as far as to hold fake conference calls on the same topic. They labeled the acquisition as highly secret, and highly confidential so that folks wouldn’t be talking about it and checking up on it, and they use these calls and confidentiality to help bolster their claims here. So through a series of, I think, it was three payments, the company has lost more than $18 million, and I thought it was interesting. The company self-identified this particular incident as fraud and not necessarily a cyber attack per se. So I just wanted to kind of run through that. We can move to the next one. All right, we can jump on. I just did a quick summary here. We’re running tight on time.

Nate Latessa

Yeah, I think this one’s mine here, the vendor email compromise. So when you think about the impact of business email compromise, it’s amplified really when it involves third-party vendors because it expands basically the attacks’ reach and complexity. So in a vendor-related BEC, attackers often gain access through a compromised vendor account, using it to impersonate trusted contacts in that organization and request sensitive information, payments, or other unauthorized access to the organization’s systems. And because the third-party vendor frequently handled aspects of a business such as payment and logistics, this attack can really ripple through your organization quickly leading to unauthorized transactions, data breaches, operational downtime, and all the bad things. Additionally, I mean, vendor-related BEC incidents are… They’re complex, right? Because of incident response now, you have to take into account these cross-organizational dependencies, making it really difficult to determine the scope of the breach, difficult to track fraudulent transactions and communicate efficiently through all the affected parties. So as a result, organizations, again, go back to the financial losses, regulatory penalties, and reputational damage from these types of breaches like this. Again, it’s just third-party risk is one of those things that most companies are nervous about because it’s difficult to control what the organization’s doing from a security standpoint to protect your information.

Michael Sarlo

This is for me. This is just simple. Large healthcare organizations experienced a significant payroll diversion attack. Healthcare providers in particular are especially prone to these because there are so many different payments flowing between insurance companies, suppliers of medical equipment, license fees, software vendors, and third parties that are doing different things in the medical industrial complex. And so, just here’s an example where a specific system that included managers and employees that were managing that payroll system, they gained access to these accounts, and they then used spoofing emails to impersonate HR and executives. They sent phishing emails to managers to capture more credentials. Once the payroll managers entered their credentials in the fake pages, the attackers gained access to the payroll system, and then they went buck wild. And this was a pretty significant win for them. Some of these diversions can net millions of dollars and can be very painful for an organization, and your ability to recover from an insurance standpoint is limited in many policies. This is something just to be aware of that these grow, right? They start with an email account. Then, they gain access. They’re sitting there. They’re watching you. They’re watching your behavior. Who do you communicate with? They start to impersonate those folks. Then, you get these very realistic login pages that look just like a company login page. They might have your logo. They might be embedded into actually a reputable site, and they’re sitting somewhere within that site hidden with somewhat of a fake redirect or a different page. And so, they’re very good, and I’ve had some come to me, the different types of phishing emails that we just knew, but we investigated. And I’m amazed at the quality of some of these that are coming out in attacks even in the past few months, so definitely something to be aware of.

Kevin Golas

We talked about some of the compromises that have been in the news. We talked about some of the compromises that we’ve worked on and that we’ve seen. I just want to kind of quickly go over some lessons learned. I mean, I can’t tell you how many times when we’re working on BEC compromises to understand that a lot of companies still today do not have multi-factor turned on. I mean, I said in one of the previous lectures that passwords to me are almost a thing of the past. If you had the MFA, the password itself becomes less important, right? Now, you need to have that multi-factor authentication turned on, which is going to protect you against the compromise of attackers if they gain your passwords like John, Mike, and Shawn were talking about it and Nate was talking about on the dark web. You can go buy passwords. You can go do these things on the dark web. Well, if you just buy the password but you don’t have that cell phone or that actual biometrics, then you’re not going to gain access to the account and it becomes a lot less risky having that kind of defense in depth. And then, I would actually go into continuous monitoring. We kind of talked about it a little bit, having an MDR, managed detection and response, service that’s going to look at your emails. It’s going to look at your endpoints. It’s going to look at your servers, your cloud instances, having that total view and monitoring of what’s happening on an hour-by-hour, minute-by-minute basis, and to understand when behaviors kind of go outside of the norm to be able to detect those as well. Then, I would say training, right? I mean, you got to have training. You have to train your employees to understand when there is something wrong, to be able to report it, and do not click on that link. Think twice before you click on that link. Think a third time before you click on it because having that insider threat or having that actual employee not click on that link is what we really want to strive for. And then, just the verification process, just understanding before you make a change to the payroll or to a third-party vendor, make sure you have a process and a procedure in place ahead of time and that you never change it without following that procedure. There have been numerous times that people just figured like Shawn was talking about with that one case, that they called it sensitive. If there was a change, you can’t tell anyone. Always follow the procedure. Always, always, always.

John Brewer

I was going to say one thing I’d like to jump here just that we’ve been seeing in the last year or two is there have been a lot of people who have been getting their one-time password, their MFA-like QR code there to scan into your phone for Authy or Google Authenticator or whatever it is. Those are kind of a known algorithm. And what we’re seeing is people taking a screenshot of that QR code when they get it and keeping it in their My Documents folder so that if they have to replace their phone later, they can rescan it and they don’t have to worry about losing access to their account. If you do that, do not save it in the account that that QR code controls. Don’t do it in general because it’s a bad idea, but you completely undermine the MFA access if you save the QR code that controls your one-time password. Okay, rant over. Sorry, Mike. Go ahead.

Michael D. Sarlo

Yeah, I was just going to say that… I mean, can we just jump back to the last slide for a second? These are the basics, right? And when you take a look at some of the trailblazing regulations and laws here, NYDFS comes to mind, 23 NYCR Part 500. And this has kind of been the framework whereas the FEC is… Sorry. The SEC has adapted their posture towards organizations, their cybersecurity, and reporting requirements as well. Not having MFA implemented and not having it implemented properly will result in much higher fines. They’re looking at these regulators to see, “Did you do what you said you were doing? Did you protect the data as you should have?” And this is really going to be expanding further into the private sector, especially as cyber warfare becomes just as ubiquitous as modern warfare. I mean, we are constantly fighting a global war from a cyber standpoint. We’re seeing this type of regulation and this collaboration between the private sector, law enforcement, and the government. It’s going to extend beyond publicly listed companies. It’s going to extend beyond certain financial institutions, insurance companies, and healthcare organizations, which are typically what the NYDFS sits at. And there’s a lot of talk about it being revenue-based. So certain companies that might be little startups that are doing a few million dollars in revenue, might have some pretty serious obligations here. And so, again, the MFA is important. The training is just so critical. It’s really be training, be training, be training. That’s always the weakest link in these BECs. If something’s off, if it walks like a duck and it quacks like a duck, it’s probably a duck. If there’s smoke, there’s fire. Trust your best judgment and always be cautious. Even just links from anybody internally, right? It’s just mouse over for a second. Don’t click on it, see what’s behind it, right? So go ahead, guys.

Nate Latessa

Mike, can I add just one here?

Michael D. Sarlo

Yes, please.

Nate Latessa

This is something that I talk to people about all the time. We talked about sensitive data exposure and potentially leaking out, the stat that I used in one of my other talks is that 61% of cybersecurity people don’t know where their company’s critical sensitive data is. So the people who are tasked with protecting it don’t know what it looks like, and they can’t find it. And if you ask cybersecurity people a lot of times inside companies and ask them where critical sensitive data is or what it looks like, they tend to tell you it’s something registrable. It’s credit card and social security numbers, bank routing numbers, patient IDs, and things like that. But when it comes to intellectual property, trade secrets, financial data, customer lists, and security people really don’t know how to identify those types of documents in the environment. Those are the ones that are usually the most critical and the toughest to track and find. So I always talk to organizations about being proactive and start to understand where that data is. Help your cybersecurity team locate those documents using the tools they have, show them what intellectual property looks like, train them on that, and then start to track that information through data classification, through encryption. Make sure that that stuff is all encrypted so that if it does get compromised, they can’t access it. But there’s a lot that you can do on the front end really just around that identification piece. That’s all I had, Mike.

Kevin Golas

So I know we have nine minutes left. Mike, did we want to go down to more of maybe the best practices in email security, or did we want to open it up for questions?

Michael D. Sarlo

We’re happy to take questions. Please if anybody has them, there’s a Q&A box. Anything on this topic, anything security related, we’re happy to answer it all. M365 Copilot risk, Nate does a lot in that. That’s really interesting. There are a lot of cybersecurity lists and implementing GAI right now. That’s going to get a lot worse. But yeah, let’s talk about some of the best practices here for mitigation as we go to close out.

Kevin Golas

Well, I think we were talking about employee training. We were talking about implementing MFA, having strong security policies, and establishing that. Nate was talking about having everything that fits and is encrypted, and it gets viewed or looked at, it reduces your risk a lot. We talked about digital signatures, just having DKIM, DMARC, and SPF records is a big thing. Just validating, having that integrity of that person sending that email or you receiving that email, having filters set up, regular software updates, having an actual incident response plan when something actually does happen, “Do you know what to do and how to do it,” just having those things already in the works. Having, like we were talking about, simulated phishing email campaigns, having that kind of training and awareness, having advanced email security solutions like we were talking about earlier, digital signatures, like I talked about, having a good policy and procedure development as it relates to we were talking about payrolls and not changing methods of payments in the 11th hour before something happens. Make sure that you’re following those procedures, like I said, having multi-factor authentication turned on. Is there anything you guys want to add to this?

Nate Latessa

I think there’s a question actually in the chat if somebody wants to jump in. It says, “What are the best tips to companies if we spot BEC, and how do we do incident remediation?” Does somebody want to take that?

Michael D. Sarlo

Sure. I think that’s a John and me question and Kevin and anybody. I mean, the first step is to obviously shut that account down but to also preserve it. In particular as well, depending on your email environment, you’re going to want to immediately make sure that you’re capturing the appropriate logging that’s required and that things just aren’t rolling off. Microsoft, in particular, M365, has done a much better job of giving easier tools and capabilities baked into M365 to conduct these investigations. And so, certainly, if you’re a professional in your organization, there’s usually going to be some type of playbook here for these. But the key is to contain very quickly, shut down those accounts, and then to really rapidly look at from the time the account was compromised, you want to know exactly what they looked at and if they sent any other emails. Oftentimes one email account that you do detect, there are sometimes many others that are also compromised in an organization. Usually more so as an organization gets larger. When you get to general phishing campaigns that are effective, they’ll get three or four accounts, five, or 10 accounts at once. Not all organizations are that lucky to have that quick detection capability. So really shut that down, those accounts. Make sure you have the right logging. Contact an incident response professional to assist you with that investigation. You’re going to be looking at a lot of things related to IP addresses, and where things are coming from. Sometimes knowing where these actually come from is challenging, especially the longer they sit. We’d like to say in digital forensics information tends to wither on the vine like fruit, so evidence just tends to die off over time. So fast response is critical. Does anybody else want to add anything there? John, Kevin, Nate?

Kevin Golas

Yeah, I would just say to what Mike just said, when you’re looking at it like a business email compromise, you also want to make sure that there were no forwarding rules turned on to that particular account. You want to make sure that there are no new accounts created. That’s a lot of times what they’ll do is they’ll get into an account, escalate privileges, and then add a new account. So even if that first account, let’s say Kevin’s account was compromised, but they just created a new account that you did not know about, so until you go and find out, like Mike was talking about, you want to understand the root cause. You want to find out when that happened and then kind of what happened right before and what’s happened since then. You kind of want to get that really good timeline to understand, “Did you capture everything that was there?” Well, like Shan and Nate and everyone else was talking about earlier, just because you noticed the compromise, let’s just say yesterday on the 28th, doesn’t mean they weren’t in three months beforehand. So you really got to understand, “Did you just find this or did you capture the actual date of the infection and the root cause of it as well?”

John Brewer

Also, if you have SSO turned on for anything, look at all of your third-party apps because even if you’ve locked somebody out and you’ve turned off email forwarding and you’ve turned off RSS publication, if they’re still CC’d on every transcript that your third-party AI application is taking of either your team’s calls and whatnot, that’s still a serious breach of corporate information that is going on even after you think that you have closed out the BEC.

Michael D. Sarlo

Right. And let me add again, that it’s a total environment investigation. If you see rules, you’re investigating. As soon as you know you have a compromised account, even if you don’t see forwarding rules, you’re going to be looking to see if that happened whatsoever in any email account since the time of the breach or more from a specific standpoint. And so, having a plan to at least close what you know, but be ready to rapidly expand the scope of your investigation in mass so you can build some comfort is critical. Incident response playbooks, right? Our philosophy around them is always to keep it simple, and stupid, and also make sure that you get Legal involved in these because there’s a whole legal work stream that I think can sometimes crush unprepared organizations when an incident does arise. Any other questions? Maybe we have a new one. Nope. So yeah, we’re here, the HaystackID team. We’ve got an army of digital forensics, incident response specialists, data privacy experts, and attorneys. We have information governance folks. We have compliance and risk folks. Cybersecurity is critical regardless of your business function. And for those on the call, everybody needs to partake in it and be a partner in it, so we encourage a lot of our colleagues and our business partners to look at cybersecurity a little bit differently in the age of really just these breaches and the monetary pain that they bring. Organizations are much more willing to spend money on things like data classifications, privacy-based information, and governance where the ROI is measurable and real.

We would really like to thank you all for joining us on today’s webcast. On behalf of HaystackID, I also want to thank everyone who took time out of their busy schedules to attend today. We truly value your time and appreciate your interest in our educational series. Do not miss out on our next workshop on November 12th with the EDRM entitled “Balancing Ethics and Efficiency with Generative AI and Legal,” where legal experts will explore the latest GAI and ethical and legal challenges courts face regarding AI protocols and how legal teams can navigate emerging discovery issues in this domain. Check out our website at haystackid.com to learn more about this webinar and register for the upcoming webcast and explore our extensive library of on-demand webcasts. It’s really a wealth of knowledge up there. If you’re bored, I encourage you to check it out. Once again, thank you, our wonderful panelists. You guys are so smart. I really appreciate you giving your time to this and to all of our attendees for attending today’s webcast. We hope you have a wonderful and blessed day.


Expert Panelists’ Bios

+ Shawn Belovich 

Senior Vice President of Digital Forensics and Cyber Incident Response, HaystackID 

Shawn Belovich is a recognized digital forensic, eDiscovery, and cybersecurity expert, having served as Deputy Chief Information Security Officer for the White House during his tenure at the Executive Office of the President (EOP) from November 2013 to July 2018. In this role, he was responsible for the global protection of White House information, information assurance, information governance, electronic records management, forensic and eDiscovery operations, cybersecurity, insider threat, data loss prevention, and internal investigations. More recently, Belovich was a Managing Director and Partner for global consulting firms.  


+ John Brewer 

Chief Artificial Intelligence Officer and Chief Data Scientist, HaystackID 

John Brewer has worked with HaystackID since 2015 and now serves as the Chief Artificial Intelligence Officer and the Chief Data Scientist. In his role as CAIO, Brewer guides the company’s integration of artificial intelligence and generative AI within the legal technology sector, capitalizing on his remarkable two decades of AI experience. He has been pivotal in the adoption of large-scale technology-assisted review, developing the suite of AI-based machine learning tools that power HaystackID’s review process, driving loss prevention, and ensuring unparalleled efficiency – most notably, Protect Analytics, the company’s exclusive set of technologies and processes that allow client data set analysis for sensitive information including personally identifiable information and protected health information, as well as data breach code anomalies. Brewer’s approach avoids opportunistic trends, centering instead on thoroughly researched AI solutions that are in line with the client’s real needs and ethical standards. Brewer’s deep understanding of decades of AI capabilities distinguishes him as an exceptional leader and innovator. 


+ Kevin Golas 

Managing Director, HaystackID 

Kevin Golas is a Managing Director in HaystackID’s Advisory Group. An accomplished cybersecurity executive with over 20 years of experience in cyber security, risk management, and data compliance, Golas has worked at larger enterprise companies like T-Mobile, Grant Thornton, and OpenText. He has a proven track record of success in developing and implementing effective cybersecurity programs, mitigating cyber risks, and protecting sensitive data. Golas is a passionate and dedicated cybersecurity leader who is committed to making the world a safer place. He is a highly sought-after speaker and thought leader in the cybersecurity community. 


+ Nate Latessa 

Executive Vice President of Advisory Services, HaystackID 

Nate Latessa is the Executive Vice President of Advisory Services at HaystackID. With over two decades of experience, he is a prominent figure in information governance and eDiscovery.  His expertise in using advanced eDiscovery tools has streamlined litigation processes, while his understanding of data and legal compliance has distinguished him in the field. 


+ Michael D. Sarlo 

Chief Innovation Officer and President of Global Investigations and Cyber Incident Response, HaystackID  

Michael Sarlo works closely with HaystackID’s software development and data science teams to deliver best-in-class data collection, eDiscovery, and review solutions that allow legal teams to act on data types typically not conducive to collection, review, or production in the context of eDiscovery. Sarlo works closely with clients on the most challenging and complex regulatory, investigative, and civil litigation matters. Sarlo also oversees HaystackID’s Cyber Discovery and Incident Response Services division. He leads a cross-functional team of HaystackID experts that regularly assist insurers, breach coaches, and their corporate clients when a data breach occurs. 


About HaystackID®

HaystackID solves complex data challenges related to legal, compliance, regulatory, and cyber events. Core offerings include Global Advisory, Data Discovery Intelligence, HaystackID Core® Platform, and AI-enhanced Global Managed Review powered by its proprietary platform, ReviewRight®. Repeatedly recognized as one of the world’s most trusted legal industry providers by prestigious publishers such as Chambers, Gartner, IDC, and Legaltech News, HaystackID implements innovative cyber discovery, enterprise solutions, and legal and compliance offerings to leading companies and legal practices around the world. HaystackID offers highly curated and customized offerings while prioritizing security, privacy, and integrity. For more information about how HaystackID can help solve unique legal enterprise needs, please visit HaystackID.com.


Assisted by GAI and LLM technologies.

Source: HaystackID