To execute a classic business email compromise (BEC) hoax, a malicious actor portrays himself as a company executive or a trusted contractor to dupe an employee into wiring funds to a wrong bank account. According to the FBI’s Internet Crime Complaint Center (IC3), organizations are losing up to $5 billion to such frauds annually. These statistics speak for themselves – BEC is a cybercrime heavyweight that has a serious global footprint.
This form of phishing with an enterprise flavor has evolved significantly over the years. Nowadays, the impostors are increasingly requesting payments in gift cards, which allows them to hide the money trail and complete the cash-out without being tracked down.
BEC scams hinge upon social engineering to instill trust and feign urgency that fuels hasty decisions of the victims. Many of them are laced with email spoofing or real account takeover to appear trustworthy. All in all, this is an insanely effective manipulation strategy every organization should beware of.
This fraudulent ecosystem is dominated by a trio of techniques. Whereas they all rely on email to deliver “mental payloads” that make the recipients slip up, their tactics vary. Here is a summary of these treacherous methods.
This ruse kicks in when a scammer asks for a money transfer on behalf of an organization the victim is doing business with. Sometimes the message states that the partner switched banks and now uses different credentials for incoming payments. To make sure the email mimics the usual correspondence between the two companies, the ne’er-do-well performs a good deal of reconnaissance through account hacks or preliminary phishing attempts beforehand.
Also referred to as “whaling,” this scheme comes down to impersonating an executive in a company. To set it in motion, the malefactor hijacks the person’s email account by orchestrating a spear-phishing attack or using credentials obtained in a past data breach. Once the crook gains unauthorized access to the account, he sends deceptive payment requests to co-workers who routinely process them. These second-stage targets are typically employees from the finance department.
Targeting business contacts
If a criminal succeeds in collecting information regarding the company’s suppliers or other contractors, he may reach out to these organizations from a spoofed email address or previously compromised account used by the original target. While passing himself off as a trusted business partner, the scammer tries to bilk the recipient for a fraudulent money transfer.
Infamous cases and campaigns
Not all BEC attacks gain publicity. Many victims would rather avoid reputational issues by choosing not to spread the word about their mishaps, and yet some incidents have surfaced over the last few years. The following cases reflect the most impactful recent BEC campaigns and attacks where companies actually admitted to wiring money to perpetrators.
COVID-19 response organizations in crooks’ spotlight
According to Palo Alto Networks Unit 42, a group of Nigerian BEC scammers dubbed SilverTerrier has been shifting its focus toward targeting major healthcare organizations around the world since late January 2020. Most unnervingly, the list of intended victims includes government agencies, universities involved in medical research, and publishing companies that contribute to thwarting the spread of the novel coronavirus disease.
Security analysts found that the threat actors sent more than 170 spear-phishing emails to high-profile COVID-19 response institutions in the United States, Canada, Australia, Italy, and the United Kingdom during the first three months of the campaign. These messages tried to bait the recipients with a combo of coronavirus-themed subjects and rogue invoices.
In some cases, the files attached to these emails would drop payloads for info-stealing malware such as LokiBot and Formbook onto victims’ computers. The silver lining is that none of the target organizations got on the villains’ hook. However, the fact that the black hats do not mind zeroing in on critical medical facilities in these hard times is hugely alarming per se.
Toyota BEC scam
In mid-August 2019, a European subsidiary of the Toyota Boshoku Corporation, a major supplier of Toyota car parts, lost a whopping $37 million worth of Japanese yen due to a phishing disaster. According to the official press release published several weeks later, a malicious third party persuaded an employee to follow “fraudulent payment directions.” In plain words, this was a commonplace BEC scenario, except that the sum of money sent to charlatans was jaw-dropping.
School district in Oregon paid $2.9 million to a con artist
Portland Public Schools, Oregon’s largest school district, fell victim to a BEC hoax in August 2019. Two gullible employees gave the green light to a fraudulent wire transfer amounting to $2.9 million. The scammer requested the funds on behalf of a construction company the educational entity had a contract with.
Luckily, the money was still in the impostor’s bank account when the predicament was exposed. The bank promptly froze the millions before the criminal withdrew them, which allowed the district to recover the funds in the long run.
U.S. city lost a fortune
The City of Griffin, Georgia, unknowingly parted with $800,000 in a swindle pulled off in June 2019. The threat actor claimed to represent an organization operating water treatment facilities for the city. The malicious email included the contractor’s supposedly updated bank account details and asked for two wire transfers for services provided to the municipality.
Experts who were hired to investigate this incident discovered that the offender had most likely breached the firm’s computer systems before the attack. This explains why the invoices looked absolutely legitimate, and the amounts of money requested in them matched the sums the company was expecting to receive from the city.
A church parish’s mistake worth $1.75 million
Another BEC drama took place in April 2019. St. Ambrose Catholic Parish in Brunswick, Ohio, wired out $1.75 million to an evildoer pretending to be from a construction firm that was renovating the church. The fraudster planned to hoodwink the victim into thinking that the contractor had switched to another bank. The trick worked, and the money went to the scammer’s bank account.
A serious hurdle to detecting BEC attacks is that they mostly rely on social engineering. This quirk allows them to fly under the radar of automated defenses such as antivirus and spam filters. Therefore, training your personnel to identify phishing scams is one of the most effective prevention strategies.
Combining security awareness with automated protection mechanisms can help your organization avoid the escalating menace. The following tips reflect BEC prevention best practices.
- Refrain from using web-based email. Although these accounts are typically free, do not be tempted by this. If you take this route, it is easier for scammers to spoof your address. Instead, use a company domain to create email accounts. Not only will this approach raise the bar for attackers, but it is also a better way to build trust with your customers who will clearly see that a message comes from your brand.
- Exert caution with emails from parties you do not recognize. If the message asks you to click a link or open an attachment, you are better off ignoring it. Such links can redirect to phishing pages, and embedded files can contain malware. It is also a good idea to hover the mouse over suspicious hyperlinks to see the actual URLs before clicking.
- Scrutinize the sender’s email address. Look for typos and extra characters the legitimate address does not have.
- Nurture your personnel’s vigilance. Phishing awareness training is one of the fundamentals of stopping BEC attackers in their tracks. Make sure every member of your team knows the telltale signs of a potentially dangerous email.
- Avoid using the “Reply” option in sensitive correspondence. Go for “Forward” instead. This way, you will need to manually type the valid email address or select it from the address book.
- Enable two-factor authentication (2FA). By turning on this feature, no one can sign in to your business email accounts unless they have both the password and an additional piece of information, such as a biometric identifier or a verification code sent to your phone. This technique makes it more difficult for fraudsters to impersonate you and your employees.
- Stay on top of your Email Exchange server changes. Regularly inspect the server for tweaks in its configuration and custom rules for important business accounts.
- Make it harder to spoof your domain. To err on the side of caution, register domains that look similar to yours, if possible. This will pose a significant obstacle to mimicking your company domain.
- Confirm wire transfer requests in person. If someone (supposedly your boss) sends you an email asking you to wire funds to another party’s bank account, be sure to give that person a phone call to double-check the request before sending the money. The good old face-to-face confirmation works wonders, too.
- Require extra checks for authorizing payments. If two parties approve wire transfers rather than one, the likelihood of a wrong decision can be reduced to a minimum.
- Fine-tune company policies. Ascertain that any changes to invoices, business partners’ bank accounts, and contact details are verified before taking effect.
- Flag emails from outside your company. Specify an email rule to show a warning banner when an external message arrives at an employee’s inbox.
- Do not overshare online. BEC scammers are growingly adept at open-source intelligence (OSINT). For instance, they may scour social networks to collect data about company executives and employees. Make sure you do not post sensitive information on publicly available web resources.
- Be knowledgeable about your business processes. This will allow you to spot phishing emails that pretend to come from colleagues, customers, or third-party organizations your company cooperates with. Anything that contrasts with the normal practices should raise a red flag.
- Use security software equipped with anti-phishing features. These tools use a large database of known phishing email templates and also leverage heuristic analysis to detect anomalous messages. Plus, they block malware that may be part of some BEC attacks.
David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.