Just how much of a threat is Business Email Compromise?

A guide to Business Email Compromise (BEC): how it works and how you can prevent your company being a victim of the scourge of BEC

If you want to send this guide to your inbox, click here.

Introduction

Cybercriminals are always looking for new and more sophisticated ways of tricking firms out of money. In the last few years, scammers have turned to a technique known as Business Email Compromise, or ‘BEC’. This is a crime wave which takes social engineering to new heights. BEC can be thought of as a type of phishing: it is based on using an understanding of human behaviour to trick employees into performing the scammers’ wishes. In this case, transferring money to a cybercriminal’s bank account.

A recent example of the crime brings home the human as well as financial costs: an employee working in the accounts department of a British publishing house was tricked into paying out almost £200,000 GBP (around $260,000 USD)[1]. The cybercriminal behind the ruse used Business Email Compromise to achieve a successful scam. The outcome was bad for the business who lost most of the money and devastating for the employee who was sacked and subsequently sued for losing the money.

The Federal Bureau of Investigations[2] (FBI) offers some idea of the breadth and scope of Business Email Compromise:

  • The estimate of global costs of BEC is around $12.5 billion (USD)
  • S. victims have lost $2.9 billion
  • The number of global victims between May 2013 and May 2018 is around 78,617

Countless examples of BEC fraud exist, because this is a scam that works.

The FBI is so concerned about the explosion in BEC fraud that they have established a cross-country coordinated effort to clamp down on the crime. Operation WireWire has resulted in 74 arrests across a number of countries, but one thing can be certain: cybercriminals will not give up on a lucrative and successful tactic unless they are forced to.

Research has shown that 96 percent of companies have received BEC email scams.[3]. A report by Lloyds Bank and Get Safe Online found that 1 in 5 affected firms had to make employees redundant because of the financial impact[4].

To keep ahead of Business Email Compromise we need to understand what it is, and how the cybercriminals behind the attack operate.

What is Business Email Compromise?

BEC is a type of ‘advanced deception’. It uses a sophisticated series of steps to ultimately trick someone in a company into moving money into the scammer’s account. BEC is also known as CEO Fraud, because the scam often begins with the CEO – the cybercriminal placing their focus on the highest-level officers in an organization.

The cybercriminals behind the scam use the practise of social engineering. Social engineering depends on understanding and manipulating human behaviour. The BEC scammer will use a mix of surveillance and profiling techniques to understand their ‘prey’. Once they have a deep knowledge of the company and who works there, they will go in for the ‘kill’. At this juncture they may call upon technological techniques to augment their strategy, but sometimes they use psychology and business processes alone. To get a better idea of how a typical BEC scam works, here are the stages:

Stage One: Observing the Wildlife

The starting point for the Business Email Compromise cybercriminal is to understand who they are dealing with. This may involve using phishing emails, or simply exploring the company online. Fraudsters may even build up a rapport with company staff by emailing or calling them pretending to be a customer. This is all in the name of getting under the skin of their target – including high-ranking C-level executives.

Stage Two: Setting your Target

The cybercriminal will now create the environment that will take the scam to the next level. This may involve technology that can steal or brute force email login credentials, allowing the scammer to hijack the C-Level executive member’s email account.

Alternatively, the scammer will create a spoof domain, the URL of which will look very similar to the company’s domain. For example, if the target company domain is acmeincorp.com the fraudster would create a domain, acme1incorp.com. This allows them to create an email account which will look like it came from a known C-level person.

Stage Three: The Takedown

Once the cybercriminal has a good knowledge of how the company works, including the staff reporting structure, they can carry out their plan. This will typically involve sending an email using the C-level executive’s account or spoof account to someone in Accounts Payable. This email will request that an urgent payment be made.

Stage Four: The Sting in the Tail

At stage one, the target person in Accounts Payable may have already been ‘groomed’ by the fraudster. This may have been in the form of calls or emails. It prepares them for responding to the urgent transfer request without becoming suspicious. The email they receive from the spoof C-Level executive will have several social engineering features, e.g.

  • It will be written in the typical style of the C-level employee (as gleaned in the surveillance stage)
  • It will have a sense of urgency
  • It will threaten a negative outcome of you do not act immediately (e.g. loss of a lucrative deal)

The Different Faces of BEC

Cybercriminals like to play with their techniques to scam business and individuals. It keeps them ahead of discovery, and Business Email Compromise is no different. There are a number of currently-known BEC techniques, such as:

  1. Impersonation of a C-level executive or an attorney
  2. Email account compromise
  3. Data theft for further crimes

CEO Impersonation

Business Email Compromise is sometimes called CEO fraud or CEO impersonation as the CEO is target zero. The CEO is ultimately where the buck stops and where important decisions are made. As a trusted person within an organization, their word holds enormous weight. Coupled with this, it is an unusual employee who would query the orders of their CEO.

In CEO impersonation, the BEC fraud depends on the scammer being able to trick other company employees into believing that the scammer is the CEO. They do this by either hijacking the CEO’s email account or creating a believable spoof account.

Recipients of the hijacked/spoof CEO email will then carry out the fraudsters orders as if they really were from the CEO. These orders usually take the form of sending payment to a bank account. The email will typically show the name of a known client but the account details will be changed. The money will be unknowingly sent to a bank account in the control of the cybercriminal behind the scam.

CEO Impersonation is not confined to the Chief Executive Officer. Other C-Level executives and trusted vendors such as attorneys are also under threat from BEC scammers.

A survey by Proofpoint found that 50% of compromised emails targeted the CFO and 25% targeted HR inboxes[5]. The point of the exercise is to ensure that any instructions sent by a compromised email will be taken seriously and followed through with few questions asked.

Invoice BEC

This version of BEC uses an invoice to achieve the same ends as CEO impersonation – to steal money.

The basis of this variety of BEC is, again, deception. During the surveillance stage of the BEC scam, the cybercriminal will have found their target – usually someone with authority in Accounts Payable. The scam continues using one of two techniques:

  1. Email Compromise: The scammer will send the target employee a spear phishing email. This will harvest the login credentials of the employee’s email account. The scammer keeps a watch out for incoming emails that contain an invoice. Once they find a suitable one – one with a large enough payout – they will adjust the invoice, changing the payment instructions. The invoice will be paid straight into the cybercriminal’s bank account.
  2. Email Spoof: The target this time is the company vendor list. A vendor is carefully chosen during the surveillance stage. This uses the same technique as the CEO impersonation method, i.e. the email account of the target is spoofed. An invoice is then sent out from the spoofed account purporting to be this known vendor. The invoice is attached to an email address so similar to the legitimate vendor that it gets past most checks and the payment is sent to the cybercriminal’s bank account.

 W2 scams and BEC

The W2 forms used by the IRS in the U.S. are the target of another version of BEC fraud. W2 forms are used by employers to record employee data. In this variant on a BEC attack, the fraudster will pose as a C-level executive and send an email requesting that they are sent the company’s W2 form list. The fraudsters then use this data to commit tax fraud.

Some Examples of BEC at Work

Sometimes the best way to understand something is to look at examples. There are many BEC victims; these are a few of the most well-known:

Mattel: The toymaker handed over $3 million USD during a BEC attack. The spoof email was part of a CEO impersonation scam.[6]

Austrian company FACC Operations GmbH: This was a case of CEO impersonation. Walter Stephan, the CEO of the Austrian company[7], was sacked after the organization lost $47 million due to a BEC scam.

17 different Dallas firms were scammed out of $600,000 in total by a sophisticated CEO impersonation BEC scam. The basis of the scam was the use of spear phishing emails, which were used to compromise email accounts.[8]

Belgian bank Crelan: A total of 70 million euros was lost due to CEO impersonation.[9]

Xoom: A full $30.8 million was lost to employee impersonation where a number of spoof emails were sent making requests to the finance department to pay invoices.[10]

How Security Awareness Training Can Help Prevent Your Company Becoming a BEC Victim

Business Email Compromise is a worrying trend in sophisticated socially-engineered attacks against businesses. BEC affects organizations of all sizes and types. To counter the threat of a Business Email Compromise, no matter what type, we need to be prepared. Here are 5 ways of making sure your organization remains protected against a BEC attack:

Security awareness training for all

The best way to deal with cybersecurity issues is to know what you’re up against. Security awareness training is a package of tailored education that ensures your staff are knowledgeable about a variety of cybersecurity-related areas. Packages usually include phishing simulations. These are controlled phishing exercises that are set up to mimic the types of phishing threats that your organization could encounter. Programs that use automation and gamification when developing these phishing simulations have excellent employee take-up and engagement. The phishing simulations train your employees to spot the signs of a phishing email. These sessions can be enhanced using tools like video training exercises to help staff understand the kind of tricks that a BEC scammer would use to carry out the scam.

Take control of your company domain and similar names

BEC fraudsters will often buy up domain names similar to their target’s domain. For example, if your company name is myapple.com a fraudster might buy the domain miapple.com or myapp1e.com

Make sure that your company purchases any domain names similar to your company URL.

Operational procedure changes

Carry out a risk assessment on any procedure that may be compromised in a BEC attack. For example, does your firm double-check financial movement requests over a certain amount? If risks are identified in any areas that could be exploited in a BEC attack, find procedural ways to close the gap. This could be as simple as requiring a phone call check – to a recipient’s verified number – before submitting payment for an invoice.

Robust email authentication

Some BEC attacks are based on compromising the email of a target person such as a C-level executive. Most email system now allow you to set up a second factor to authenticate access to the account. Second factors are usually applied after a person enters their username and password. They are typically something like a mobile authenticator app or an SMS text code.

Good patch hygiene and anti-malware

Phishing, often a key part of a BEC attack, also comes in several flavors. This includes possible infection of a target computer with malware such as keyloggers. This type of malware collects keystrokes from a keyboard; this enables it to steal login credentials and other sensitive data. Malware infection is usually dependent on software flaws. One way to reduce the chances of infection is to make sure that all software is fully up-to-date and that security patches are applied promptly. Using anti-malware applications as part of a wider security strategy, including security awareness training, also helps mitigate the risk of infection.

Conclusion

All businesses  need to be aware of Business Email Compromise, and take the risk of falling foul of this crime very seriously. The scam is costing organizations money – sometimes millions of dollars – and employee loss on a huge global scale. For individuals unwittingly taken in by BEC scams, the impact on their lives and livelihoods can be catastrophic . BEC fraud is much more than a ‘hit and run’ crime like ransomware. It is insidious, the cybercriminals taking their time to survey their target, understand their business, and spoof or steal their email accounts. It is a crime where the cybercriminal really gets under the skin of the business it wants to extract money from.

In the case of BEC fraud, the best start is to understand what you are dealing with. Being BEC aware across your organization is the foundation stone to taking on the cybercriminals and winning. Having a security awareness training program that creates a culture of security and knowledge will help you to stop BEC crime in its tracks. Adding to this arsenal, technological control in the form of domain protection and robust authentication is also important as part of an overall BEC prevention strategy.

Cybercrime like BEC is no game. It is a serious attack on the very heart of your organization, your people and your finances. Fortunately, we have the means to tackle this growing threat at our fingertips by making our staff BEC aware.

If you want to send this guide to your inbox, click here.

About Hoxhunt

Hoxhunt turns your employees to your strongest asset in cyber security. We’re relentlessly focused on empowering your employees to shield your organisation as an active last line of defence. We work with multinational companies such as Friesland Campina, Konecranes, Nest and Nokia. If you want to see how we can help your company defend against attacks such as BEC, request a demo at hoxhunt.com or contact us at [email protected].