Tech Brief – Business Email Compromise (BEC SCAM)
According to the World Economic Forum Business Email Compromise (BEC) or CEO Email Fraud cost organisations over $3.01 billion in 2015 and 2016. These are staggering figures that cost organisations of all sizes enormous amounts of money in direct costs, lost revenue, lost goodwill with customers, and damage to their corporate reputation.
Cyber-criminals want maximum profit for minimum investment and Business Email Compromise is very profitable since it only needs to be successful a few times to be highly cost-effective for the criminals.
Instead of spending hours sending phishing emails to numerous random email addresses (making them more easily identifiable as spam, and less successful, nowadays, cyber-criminals first do their research before launching an attack. They select the business on which to launch a BEC attack, then use social engineering to find out who the CEO and CFO are (ensuring they have their correct names), and decide who their victim will be within the organisation. They usually select someone in the finance department who manages money, or an authorised senior staff member. A successful BEC attack results in successful intrusion into the victim’s business systems, unrestricted access to employee credentials and substantial financial loss for the organisation.
The cyber-criminals then send a fraudulent email, impersonating the CEO or CFO, and try to trick their victim into initiating one or more funds transfers. An example is as below:
Hackers will use several simple, but highly effective tricks to avoid raising suspicions, and to ensure that their victims act as fast as possible, without a second thought or further verification:
- Spoofing or typosquatting [*1] legitimate email addresses, using a domain similar to the targeted business’ actual domain.
- Using an urgent tone and stating in the fake email that the CEO or CFO is in a meeting and that they cannot be disturbed during the meeting by email exchanges or phone calls.
- Implying that the sender is using a device to write the email, by using the well-known and frequently-used phrase “Sent from my iPad”, in lieu of the corporate email signature.
Note: This trick is particularly effective, because implying that the email is sent from a mobile device excuses any poor English, misspelling, or lack of a legitimate email signature, which are usually triggers to recognise phishing emails. It also helps strengthen the sense of urgency: if it wasn’t pressing, the sender would have waited until he was back at his desk. Hackers also use social engineering to find out when the executive is travelling for business, making their scam even more credible to the victim.
- Cyber-criminals will make sure they request a legitimate-looking amount for the wire transfer, to avoid raising suspicion.
Who are the targeted victims?
Victims are not limited to a certain business type: hackers are targeting medium and large corporations, small businesses, not-for-profit organizations, etc… They always have one characteristic in common: the victim’s business must work with foreign suppliers and/or regularly use wire transfer payments.
Why does it work?
Phishers rely on the “fear of the boss” mentality: all employees want to be effective at their job, and are unlikely to decline an order coming directly from a VIP within their organisation. Employees usually feel obligated to comply with anything their CEO requests, and that is what cyber-criminals put their money on. The sense of urgency is also critical for these scams to work. Since the recipient of the email feels like it’s an urgent matter and that he can’t reach his/her boss for a second approval of the transfer, the targeted employee often falls for the BEC scam.
Some tips for defence against BEC scams
We recommend that businesses follow the below tips to avoid falling victim to a BEC scam:
Educate your employees
- Develop a good security awareness training program that will help users to make better judgments about the emails they receive, how they use the Web, the links they click in social media, and so forth. The goal of security awareness training is to help users to be more skeptical about what they view and what they consider to be safe to open. Have them monitor email addresses in their inboxes, to avoid spoofing or typosquatting
- Create communication protocols (backchannels) for staff members that will be involved with corporate finances or sensitive information. For example, if a CEO sends a request to his CFO to transfer funds to an established vendor, the CFO should have a means of verifying the authenticity of the CEO’s request before initiating the transfer, such as texting or calling the CEO’s smartphone
- Teach them to always question any emails requesting fast actions, whether they seem unusual or not; especially if the request is not following normal procedures.
- Advise them to make a phone call to verify the legitimacy of a business partner or supplier
- Employees, particularly senior executives who are more likely to be the target of a CEO Fraud/BEC attack, should be reminded regularly about the dangers of oversharing information on social media. Employees’ friends might be interested in the latest personal information that gets posted on social media, but this information might give cybercriminals the information they need to create a believable spearphishing email
- Use two-factor or multi-level authentication for initiating wire transfers.
*1 A “fake” URL that is very similar to the legitimate address but lands the user on cybersquatter’s web site e.g. Gooogle.com vs Google.com