Business Email Compromise
Business Email Compromise (BEC) is a fancy new name for an old technique: the confidence game. And it’s a really lucrative and popular way to commit cybercrime.
- More than 22,000 targeted organizations in the past 3 years
- More than $3 billion in losses in past 3 years
Just like traditional con games, this scam works by gaining someone’s confidence and then getting something from them that is not yours to take.
Formerly called the man-in-the-email attacks, social engineering is at the heart of these attacks. An attacker commonly will impersonate an executive to get funds transfer of funds to what appears to a legitimate entity. In reality, it’s the scam artist seeking to siphon money off. This process will often start with a phishing attack or key-logger of the executive in order to gain access to his or her email account. Once there, the attacker will track the executive’s activity and them mimic their behavior.
Often, the conman will closely monitor the overall activity of the company. This allows them to use information like company mergers, new contractors, and other information to scam money from the company.
Common variations and how to identify
There is a huge variety of scams that fall under BEC. All of them are incredibly simple and none of them require any real technical skill. Most simply take time and a little bit of patience to execute, just like a good con job.
Here are some examples of Business Email Compromise:
The CEO scam –
- The criminals compromise an executive account via key-loggers or phishing scams. It does not have to be the CEO. It can be the CFO or even a lead accountant.
- The scammer will submit a wire transfer request from the C-level executive’s account to the accounts payable department or directly to the Controller.
- The Controller will send the payment according to the directions they received. The request, while it looked legitimate, will funnel money to the scammers account where it can never be recovered.
- The criminal will either gain access to or spoof the email account of a high level executive and send an email to a member of the staff in charge of paying invoices asking them to pay the invoice.
- They will monitor activity and watch for a legitimate invoice from an actual vendor.
- The criminal will change the routing and account numbers to which the payment is made.
- The scammer will then spoof the sender’s email so that communication can be sent back and forth. They don’t need to compromise the sender’s email. A close approximation is all that’s needed, close enough so that no one would notice.
- An email is sent that explains that they’ve updated their payment information.
- The payment will ultimately send the money to the new (fake) payment account.
The Attorney scam –
- The accounts payable department will receive an email from the “CEO” telling them that the company is doing a “top secret” acquisition. The highly confidential nature of the email will keep the employee from making inquiries or even double checking with the CEO.
- The email offers the name of an attorney that’s supposed to handling the transaction.
- The scammer, posing as the attorney, will forward payment information and accounts. He or she will reiterate the information that the CEO shared lending legitimacy to the emails.
- The finance department will submit the wire request for payment following the “attorney’s” instructions.
The Data scam –
- The scammer will pose a member of the accounting staff, human resources, or even a governmental entity attempting to verify employee information like W-2s.
- The message is usually sent to member of the HR staff, often someone low down in the structure who will have access to the data.
- The staffer will send the information to the scammer.
- The scammer will then use the data to compromise the identity of the employees.
Best Practices to avoid Business Email Compromise
- First, we recommend implementing advanced email security like ContentCatcher to outright block most of these attacks. Using big data from a vast global network of clients and machine learning along with attachment and URL defense, it can pinpoint threats and prevent them from reaching your inboxes.
- Train employees with security awareness training like KnowBe4. It is after all error on behalf on employees that make these attacks successful. By having aware and suspicious users, the chances of a successful attack decrease drastically over a period of a few months.
- Ensure that the “reply to” address and the “from” address are the same. Some hackers will spoof an account by making it look the email came from a legitimate person. The “reply to” address, however, will send sensitive information to an email account that the attacker controls.
- Manually confirm any sensitive requests. For example, if the CEO asks for a wire transfer, regardless of the time of night or the relationship with the CEO, the payment department should manually confirm the request by calling.
- Prevent transfers to unknown accounts. If a vendor wishes to change the payment account that they receive money to, call them or send a separate verification email asking if that person made the request.
- Code all correspondence to show which email originated in house and which are from the outside. This will help to prevent spoofed email from being treated as internal messages.
- Institute a policy that states that all money transfer requests need to be approved by more than one person and that they aren’t out of the ordinary.
There are two fronts to Business Email Compromise
People and technology.
The people portion requires training and clear policies. The reality is that every BEC is effective because of something that someone does. Training your staff, particularly the accounting and executive staff, will help to keep them from making mistakes that can compromise your company, either giving away money or data.
The technology portion allows you to use the latest technology to filter and screen out the scams before someone sees them. Using the right filters and traps, scams and spoofs can be stopped and prevented.
Third-party contractors are a simple solution to the problem. A third-party can come in, implement the right policies, train the staff, and place the technology. The most important part of all antivirus technology is keeping it up-to-date. Very often, what you buy off the shelf is good in that moment, but it will become obsolete quickly. An outside contractor is able to keep everything up-to-date and, if you get the right team, monitor your entire network 24 hours a day. They will spot irregularities faster and be able to stop things like wire transfers.
Not matter what path you take, it’s vital that you do something today to prevent business email compromises.