This blog was written by an independent guest blogger.
To carry out business email compromise (BEC) fraud, a con artist impersonates an organization’s senior manager, business partner, or supplier and tries to manipulate an employee into transferring money to the wrong destination. The rogue message typically comes from a spoofed or previously hacked email address, which makes the foul play highly persuasive. Essentially, BEC is a type of phishing focused on the enterprise.
As the general fraud awareness in the corporate sector grows, malicious actors are constantly refining their tactics to make sure their scams bypass secure email gateways and slip below a vigilant recipient’s radar. Furthermore, the use of untraceable cash-out mechanisms involving gift cards and cryptocurrencies takes their operations security (OPSEC) practices a step further. Combined with clever social engineering tricks that make victims act impulsively, these rogue strategies can be incredibly effective.
The FBI reported more than $1.8 billion in losses over this cybercrime technique in 2020 alone. Companies around the world should interpret these staggering stats as a call to action in terms of hardening their defenses against the threat.
The forms of business email compromise
Whereas the common denominator in all BEC hoaxes is to make money and get away with it, the methods of achieving this goal vary. There are three top scenarios of this exploitation.
- Knock-off invoices
When this classic ploy is underway, an attacker requests a wire transfer on behalf of an entity the target organization cooperates with, such as a managed service provider (MSP) or supplier. The narrative often involves an alleged change of the mimicked company’s banking credentials.
To perpetrate this stratagem, which is also known as CEO fraud, a crook passes himself off as a person who holds an executive-level position in a company. It is usually preceded by a spear-phishing attack that results in the takeover of the victim’s email account. Sometimes felons use credentials exposed in a data breach to access the account. The impostor then contacts personnel from the finance department with a request to make an urgent payment for fictitious services.
- Reaching out to business contacts
Fraudsters may try to expand the attack area by targeting a victim’s partners and contractors whose contact details and additional sensitive information were obtained in the course of the original assault. In this case, a sure-shot way to feign legitimacy is to send a dodgy wire transfer request from a real email account used by an employee of the primary victim.
Newsmaking BEC examples
Counterintuitively, this vector of cybercrime isn’t focused on big-name companies only. Nonprofits, schools, and small municipalities are frequent targets as well due to their low preparedness for such incursions. The following incidents show how intricate these attacks can get.
- U.S. town ripped off
The Town of Peterborough, New Hampshire, found itself in the epicenter of a BEC scam in July 2021. Crooks used a number of spoofed email accounts and forged invoices to dupe town employees into submitting a total of $2.3 million to wrong destinations.
The attack took place in three stages. The first transfer amounted to $1.2 million and was intended for the local school district. Two more payments were supposed to go to companies constructing a local bridge. By the time the scam was discovered, the funds had been converted to cryptocurrency in a series of untraceable transactions.
- One Treasure Island BEC attack
In late December 2020, scammers sucker-punched One Treasure Island, a San Francisco nonprofit that helps low-income and homeless people. The organization was hoodwinked into sending $650,000 to a party that portrayed itself as a contractor hired to implement affordable housing projects in the San Francisco Bay area.
The hoax was unearthed in January 2021 when it turned out that the intended recipient never got the funds. Investigation showed that the fraud had started with a hack of a third-party accountant’s email system. Then, criminals mishandled this access to gain a foothold in the nonprofit’s communication chains. This allowed them to change the details on the original invoices from the partnering firm, which resulted in several fraudulent transfers to accounts under crooks’ control.
- The jaw-dropping Toyota swindle
A European supplier of interior parts for Toyota vehicles fell victim to a massive BEC attack in August 2019. Con artists were able to manipulate the company’s employees into sending out 4 billion Japanese yen (approximately $37 million) to the wrong bank account. There have since been no reports of whether the victim’s efforts to recover these funds were successful.
- Oregon school district in the crosshairs of phishers
In August 2019, another attack was executed against Portland Public Schools, the largest school district in Oregon. The fraudster pretended to be a representative of a construction firm the institution cooperated with. The scam zeroed in on two district employees who ended up authorizing a $2.9 million payment to malefactors. The silver lining was that the crook hadn’t moved these funds out of their account by the time the incident was uncovered. The whole sum was frozen and subsequently recovered.
- City in Georgia deceived by MSP copycat
A malicious party claiming to be an operator of water treatment facilities bilked the City of Griffin, Georgia, out of $802,000 in June 2019. The self-proclaimed contractor sent an email that informed city authorities about an alleged update of the bank account information. The message also requested two payments for services actually provided to the city.
Investigators found that the criminals had compromised the contractor’s computer system shortly before the raid occurred. This allowed them to concoct a legitimate-looking invoice in which the amounts of money that the firm was expecting to receive were accurate.
Make sure your organization isn’t low-hanging fruit for BEC scammers
Since this type of exploitation largely hinges on social engineering, security awareness is paramount when it comes to avoiding the worst-case scenario. Safe online practices of your employees, combined with automatic protection tools, such as Internet security software, spam filters, and secure email gateways, can forestall most of these scams. Let’s now get into detail on these precautions.
- Say no to web-based email. Such services are a lure because they are free to use, but there is a serious caveat. These email addresses are easy for cybercriminals to spoof. Hosting corporate accounts on your company’s domain is a much more reasonable approach. In addition to complicating this type of foul play, it is one of the building blocks of a reputable brand and an element of business communication done right.
- Be careful with messages from unknown parties. If an email received from a stranger instructs you to click a link or download an enclosed file, delete it without a second thought and go about your day.
- Examine the sender’s address. When trying to impersonate a trusted individual or company, a phisher may use an email address that has minor differences from the genuine one. Pay attention to spelling inaccuracies and redundant characters to identify a hoax.
- Cultivate your team’s prudence. Setting up a security awareness program is an investment that pays off. It will teach your colleagues to pinpoint red flags when working with public Wi-Fi, websites, emails, and documents.
- Use the “Reply” option wisely. If you are discussing a sensitive matter over email, consider using the “Forward” button instead. It presupposes that you have to type the correct address or pick it from the address book, which eliminates the risk of engaging with a charlatan who pretends to be someone you trust.
- Make the most of two-factor authentication (2FA). This awesome feature pulls the plug on unauthorized attempts to sign in to your corporate email account. If it is enabled, the password alone is not enough. Access is impossible without an extra identifier, such as biometric data or a secret code sent to your smartphone.
- Monitor your email server settings. Ask your IT team to keep abreast of changes in the server’s configuration and the email exchange rules that apply to critical accounts.
- Be a little paranoid about money transfer requests. Don’t hesitate to verify the legitimacy of any email that tells you to send out funds to a third party, even if it appears to come from your boss. A quick phone call can dot the i’s and cross the t’s. If you work under the same roof, there is no harm in coming up and asking.
- Raise the bar for green-lighting big payments. It is a good idea to involve an extra party in the process of authorizing wire transfers where the amount exceeds a certain threshold. This will minimize the odds of a blunder.
- Adjust your enterprise policies. Necessitate a thorough verification of any changes in the banking credentials and contact information of contractors, business partners, and other parties your company cooperates with.
- Make external emails easy to discern. Configure your email exchange server to display a warning banner in messages that come from outside the organization. This should encourage users to look closer.
- Don’t post too much personal data online. Crooks tend to do a good deal of reconnaissance before orchestrating BEC scams. For example, they may collect information about their targets on publicly available sources like social networks and personal blogs. That said, it is in your best interest to restrict the range of sensitive details you share on these services.
- Know the peculiarities of your business niche. This will help you distinguish between legitimate emails and sketchy ones that don’t fit the context of your day-to-day activities.
- Leverage technology. Modern Internet security applications come with anti-fraud features powered by a comprehensive database of phishing templates that are currently circulating. The use of such tools can undoubtedly add an extra layer of protection to your BEC prevention efforts.