To execute a classic business email compromise (BEC) hoax, a malicious actor portrays himself as a company executive or a trusted contractor to dupe an employee into wiring funds to a wrong bank account.
According to the FBI’s Internet Crime Complaint Center (IC3), organizations are losing up to $5 billion to such frauds annually. These statistics speak for themselves – BEC is a cybercrime heavyweight that has a serious global footprint.
This form of phishing with an enterprise flavor has evolved significantly over the years. Nowadays, the impostors are increasingly requesting payments in gift cards, which allows them to hide the money trail and complete the cash-out without being tracked down.
BEC scams hinge upon social engineering to instill trust and feign urgency that fuels hasty decisions of the victims. Many of them are laced with email spoofing or real account takeover to appear trustworthy. All in all, this is an insanely effective manipulation strategy every organization should beware of.
BUSINESS EMAIL COMPROMISE SCAM TYPES
This fraudulent ecosystem is dominated by a trio of techniques. Whereas they all rely on email to deliver “mental payloads” that make the recipients slip up, their tactics vary. Here is a summary of these treacherous methods.
This ruse kicks in when a scammer asks for a money transfer on behalf of an organization the victim is doing business with. Sometimes the message states that the partner switched banks and now uses different credentials for incoming payments. To make sure the email mimics the usual correspondence between the two companies, the ne’er-do-well performs a good deal of reconnaissance through account hacks or preliminary phishing attempts beforehand.
Also referred to as “whaling,” this scheme comes down to impersonating an executive in a company. To set it in motion, the malefactor hijacks the person’s email account by orchestrating a spear-phishing attack or using credentials obtained in a past data breach. Once the crook gains unauthorized access to the account, he sends deceptive payment requests to co-workers who routinely process them. These second-stage targets are typically employees from the finance department.
If a criminal succeeds in collecting information regarding the company’s suppliers or other contractors, he may reach out to these organizations from a spoofed email address or previously compromised account used by the original target. While passing himself off as a trusted business partner, the scammer tries to bilk the recipient for a fraudulent money transfer.
INFAMOUS CASES AND CAMPAIGNS
Not all BEC attacks gain publicity. Many victims would rather avoid reputational issues by choosing not to spread the word about their mishaps, and yet some incidents have surfaced over the last few years. The following cases reflect the most impactful recent BEC campaigns and attacks where companies actually admitted to wiring money to perpetrators.
According to Palo Alto Networks Unit 42, a group of Nigerian BEC scammers dubbed SilverTerrier has been shifting its focus toward targeting major healthcare organizations around the world since late January 2020. Most unnervingly, the list of intended victims includes government agencies, universities involved in medical research, and publishing companies that contribute to thwarting the spread of the novel coronavirus disease.
Security analysts found that the threat actors sent more than 170 spear-phishing emails to high-profile COVID-19 response institutions in the United States, Canada, Australia, Italy, and the United Kingdom during the first three months of the campaign. These messages tried to bait the recipients with a combo of coronavirus-themed subjects and rogue invoices.
In some cases, the files attached to these emails would drop payloads for info-stealing malware such as LokiBot and Formbook onto victims’ computers. The silver lining is that none of the target organizations got on the villains’ hook. However, the fact that the black hats do not mind zeroing in on critical medical facilities in these hard times is hugely alarming.
In mid-August 2019, a European subsidiary of the Toyota Boshoku Corporation, a major supplier of Toyota car parts, lost a whopping $37 million worth of Japanese yen due to a phishing disaster. According to the official press release published several weeks later, a malicious third party persuaded an employee to follow “fraudulent payment directions.” In plain words, this was a commonplace BEC scenario, except that the sum of money sent to charlatans was jaw-dropping.
Portland Public Schools, Oregon’s largest school district, fell victim to a BEC hoax in August 2019. Two gullible employees gave the green light to a fraudulent wire transfer amounting to $2.9 million. The scammer requested the funds on behalf of a construction company the educational entity had a contract with.
Luckily, the money was still in the impostor’s bank account when the predicament was exposed. The bank promptly froze the millions before the criminal withdrew them, which allowed the district to recover the funds in the long run.
The City of Griffin, Georgia, unknowingly parted with $800,000 in a swindle pulled off in June 2019. The threat actor claimed to represent an organization operating water treatment facilities for the city. The malicious email included the contractor’s supposedly updated bank account details and asked for two wire transfers for services provided to the municipality.
Experts who were hired to investigate this incident discovered that the offender had most likely breached the firm’s computer systems before the attack. This explains why the invoices looked absolutely legitimate, and the amounts of money requested in them matched the sums the company was expecting to receive from the city.
Another BEC drama took place in April 2019. St. Ambrose Catholic Parish in Brunswick, Ohio, wired out $1.75 million to an evildoer pretending to be from a construction firm that was renovating the church. The fraudster planned to hoodwink the victim into thinking that the contractor had switched to another bank. The trick worked, and the money went to the scammer’s bank account.
PROTECTION AGAINST BEC SCAMS
A serious hurdle to detecting BEC attacks is that they mostly rely on social engineering. This quirk allows them to fly under the radar of automated defenses such as antivirus and spam filters. Therefore, training your personnel to identify phishing scams is one of the most effective prevention strategies.
Combining security awareness with automated protection mechanisms can help your organization avoid the escalating menace. The following tips reflect BEC prevention best practices.