Professionals face a daily deluge of email — both personal and professional — in their inboxes. No wonder scammers have taken to business email compromise (BEC) scams as a new low-tech way to commit financial fraud. Be smart about BEC — understand this spear-phishing approach and its increasing prominence so you can secure your company from this type of threat.
From January 2015 to June 2016 there was a 1300% increase in identified exposed losses due to BEC scams - FBI
More than 400 businesses are targeted by BEC scams every day, according to Symantec's 2017 Internet Security Threat Report. Spoofed business communications are sent specifically to a business's financial staff. With subject lines such as "Request," "Payment," or "Urgent," these emails are sent during the workweek by fraudsters pretending to be a CEO or member of senior management requesting large money transfers.
More than $3 billion was stolen over the past three years via BEC scams. According to an FBI warning about the trend, victims have been reported in all 50 states and 100 countries with the majority of fraudulent transfers sent to Asian banks.
In fact, this kind of targeted spear-phishing is "now favored by attackers" over mass-mailing phishing campaigns, according to Symantec.
In 2016, an Austrian aerospace parts maker fired its CFO as well as CEO Walter Stephan after hackers posing as Stephan in an email stole nearly $47 million from the company. — Reuters
Criminals are thought to be turning more to these emails because this type of scam doesn't require suspicious attachments or unknown links. With a little research and not much technical know-how, the scammer can reap big bucks.
The FBI identified several ways victim information can be gathered:
These fraudsters often look for companies that have recently had C-suite shakeups (since this would help explain a CEO or CFO asking questions about process or not adhering to typical protocols) or where executives are known to be offsite at conferences or traveling for other purposes (hence the need for email communication).
There are regular examples in the news of corporations or businesses falling victim to scams that see them releasing PII and W-2 information. In just one example, a San Francisco-based software company suffered a breach when an email apparently initiated by the CEO requested the tax information for all employees. Names, addresses, 2015 income details, Social Security numbers, and Individual Taxpayer Identification numbers were all sent to an unauthorized recipient.
At the same time, there have been evolutions in BEC scam emails. Symantec research in November 2016 noted a shift to gradually building trust over a series of emails rather than simply asking for the fake wire transfer at the outset. For instance, the scammers might now use more conversational language to establish a rapport. A common tactic, for instance, is to begin the exchange with an email asking "Are you at your desk?" or "Hey, are you in the office today?" Then, when a response is received, the scammer moves on to phishing for details about how the payment process works at their organization and then to the fund transfer request.
As unsophisticated at business email compromise scams may appear to be, it's their simplicity that makes them so appealing. As cybersecurity blogger Brian Krebs notes, "in many ways, the BEC attack is more versatile and adept." After all, this approach minimizes risk: "In traditional phishing scams, the attackers interact with the victim's bank directly, but in the BEC scam the crooks trick the victim into doing that for them."
What can you do?
Educate employees responsible for handling wire transfers about the increased threat of BEC attacks. They should know to:
Your company should use a company domain name to send emails rather than relying on free web-based email accounts. Also register domain names that are similar to your own to avoid someone spoofing your email communications with a near facsimile. You could also set up detection system rules to flag emails with similar extensions to your own domain name. For instance, for the domain MYcompany.com you would flag anything from MYcompany.co or MY-company.com.
Make it someone's job to regularly review what information about job duties, company hierarchy, and processes is available to outsiders via social media and company websites.
Establish and adhere to robust internal processes to verify all requests for wire transfers. This could include requiring two-step verification such as digital signatures (at both sides of the transaction) or another form of authentication outside of email to verify significant transactions.
And of course, to help prevent the spread of BEC scams, report suspicious activity to the proper authorities.
RedTeam Security experts can engage in a multi-layered attack simulation to measure how well your people, networks, applications, and physical security controls can withstand fraudster attack. Along with threat detection, we can help educate employees about their susceptibility to deceitful persuasion and manipulation through email, phishing, phone, fax, and physical pretexting.
The best defense is a good offense. Let our industry experts test your security controls before hackers do it for you.