Recent press reports reflect a sharp rise in business email compromise (BEC) scams, and they are affecting almost every industry sector. The most common form of BEC scam involves a third party gaining access to a business email system, impersonating a senior executive and using that executive’s email address to direct a large wire transfer of funds to an account controlled by the scammer.
BEC scams generally begin when a hacker compromises email access credentials (i.e., steals the passwords) of company employees. They then use those credentials to learn more about the various employee’s positions, patterns, responsibilities, and direct reports. Then, using this information (sometimes combined with additional information derived from social media postings), the attackers commence a directed attack where a cyber-criminal impersonates a senior executive (often the CEO, CFO, a managing partner, or other person of influence), and attempts to get an employee or customer to transfer funds or sensitive information to the criminal. Because people are too busy in their jobs, they often do not follow established protocols put in place for everyone’s good. This is especially true when an instruction appears to come directly from the CEO, CFO or other high-level executive. As a result, these wire transfers get executed without verification, to the great expense of the company.
An email might say the following: From CEO to CFO: “can you please wire transfer money to one of our vendors, who is looking for an advance payment on his contract.” In looking at the email quickly, the email “looks like” it came from the CEO’s account, the vendor looks real, and the account information “looks like” one of the company’s correspondent banks. The executive even “signs” his name in the same manner as he or she always does.
However, nothing is real about the email scam and the money gets transferred to criminals. There are many variations of this scam. Some involve data theft from HR departments. Some involve actual impersonation of clients or vendors. Some involve cellphone spoofing whereby the employee, ever diligent, attempts to verify the wire transfer by phone with the “sender” of the email, but instead ends up calling a “Nigerian Prince” who dutifully verifies the wire transfer to his Asian bank account. Indeed, one recent article noted,
“For example, in addition to telephone calls, pop-up and locked screens, search engine advertising, and URL hijacking/typosquatting, criminals now use phishing emails with malicious links or fraudulent account charges to lure their victims. Criminals also pose as a variety of different security, customer, or technical support representatives and offer to resolve any number of issues, including compromised email, bank accounts, computer viruses, or offer to assist with software license renewal,”1
According to FBI statistics, $1.6 Billion was lost by U.S. companies between October 2013 and December 2016. Common scenarios cited by the FBI include fraudulent correspondence through a compromised email from a vendor or client, attorney impersonation, and wire transfer requests from a spoofed or hacked CFO email address. In fact, according to the numbers released by the FBI’s Internet Crime Complaint Center (IC3), the victims of those crimes lost over $676 million in 2017. Compared to the 2016 numbers (over $360 million), that’s an increase of nearly 88 percent.2 BEC Scams are not only prevalent in the U.S., they are prevalent in the EU as well. In fact, “Incidents of CEO fraud (where the impersonation of CEOs is a key part of the modus operandi) have increased significantly in recent years and we are now at a point where EU-based companies are being swindled out of hundreds of million euros every year,” said Europol Deputy Executive Director of Operations Wil Gemert.”3
Though BEC scams cannot be eliminated, many can be prevented through taking appropriate precautions. Using and regularly enforcing the following corporate procedures may go a long way to minimizing the risk that a company will fall victim to fraud resulting from a BEC incident:
Always double-check before sending money or data.
Consider making it a firm, inviolable company policy to avoid making and fulfilling requests for a wire transfer or confidential information based solely upon email. As a matter of policy, it can help to always confirm a transfer at the regularly-maintained telephone numbers of the recipient (not a number contained in the instructions). This will make it more likely that any emails making such a request will be flagged as potential attacks. Some companies are using additional methods like encrypted cellphone enabled applications that only executives carry. So in the case above, the harried CFO can message his CEO and “know” it’s really his CEO that asked for the wire transfer.
Require multi-factor authentication for email access.
For a BEC attack to be launched, a scammer must first successfully phish an executive to gain access to or spoof their email account. Implementing multi-factor authentication (meaning, e.g., after accessing an email account, the executive receives an automatic text message back with a secret code he or she must enter) as a security policy will make it more difficult for a cybercriminal to gain access to your employees’ email inboxes and therefore harder for them to launch a BEC attack.
Run regular spoof checks.
Cyber criminals will often use email spoofing to send emails that “look like” legitimate messages from a member of the company’s leadership team. However, after close inspection, it can be seen that something about the URL link or email extension or domain is not right. One word is off. One letter is off. A “dot.com” address may now be a “dot.org” address. Running regular checks on your organization’s “spoofability” help you see how vulnerable your company is to email spoofing and understand ways you can make your corporate email virtually spoof-proof. In fact, non-approved company domains that show up in email transmissions can often be blocked, helping to eliminate the problem.
Teach employees how to spot phishing.
Since employees are the target of BEC attacks equipping them with the tools and education necessary to know how to tell when something is off and know how to respond appropriately can be critical. Consider training them to understand that all “rush” wire transfer requests might not be legitimate and to ask questions, especially when senior management is out of the office, or traveling on business. Additionally, having your employees confirm “orally” that the wire transfer requests they are told to make are valid can be most effective.
BEC Scams can be highly costly and can affect any type of organization. Moreover, they may not be covered under existing cyber insurance policies. The best defense to a BEC scam is “not to be scammed” by implementing appropriate prophylactic measures.
1 See “Losses due to BEC scams are escalating,” which can be found at https://www.helpnetsecurity.com/2018/06/25/2017-internet-crime/.
3 See “Masterminds behind prolific CEO fraud ring arrested,” which can be found at https://www.helpnetsecurity.com/2018/06/04/ceo-fraud-arrests/.