Business email compromise (BEC) netting billions for scammers

Don't get sucked into the scam
Don't get sucked into the scam

Just when you thought it was safe to go back into the ransomware littered expanses of cyberspace, a new acronym (and attack vector) surfaces.

So-termed Business Email Compromise (BEC) is also sometimes called CEO fraud and it is gauged to be on the rise in 2016.

A family cousin to ransomware in a sense, BEC attacks take the form of spoofed emails targeted at medium to large businesses.

CEO's email accounts are compromised so that messages can be sent to financial staff requesting money transfers. The attack is carried out by compromising legitimate business e-mail accounts through social engineering, or by computer intrusion techniques.

The FBI has issued a formalised warning detailing the shape, scope and extent of BEC attacks. The bureau points out the scam works best when targeted at firms who work with a lot of foreign suppliers and so regularly perform wire transfer payments.

According to an FBI public service announcement, “Most victims report using wire transfers as a common method of transferring funds for business purposes; however, some victims report using checks as a common method of payment. The fraudsters will use the method most commonly associated with their victim's normal business practices.”

Industry commentators have been quick to point out that the majority of InfoSec professionals are leaving their CEOs vulnerable by not training them to spot potential threats. Javvad Malik, security advocate at AlienVault, told SCMagazineUK.com that the challenge is two-fold.

Firstly, most phishing scams that target execs are well-crafted and researched – similar-looking domains are registered and execs are carefully researched. Secondly, many execs have personal assistants who manage their day-to-day operations and are often more susceptible to social engineering techniques.

“As such, it is important to train all users within an organisation as attackers will always try to strike at the weakest links, who may not even be internal employees. CEO fraud also routinely targets third party suppliers, partners and customers, so awareness should be spread to all associated parties. To stay a step ahead, security teams need to monitor third party activity closely and use threat intelligence networks to keep abreast of the latest scams being employed by criminals,” Malik said.

Are BEC scams targeting specific industries? The FBI suggests that the victims of the BEC scam range from small businesses to large corporations. The victims continue to deal in a wide variety of goods and services, indicating a specific sector does not seem to be targeted.

What do BEC scams look like? Symantec says that BEC scams are beautifully simplistic in their initial presentation. “BEC scammers keep things simple, with most emails containing a single-word subject line. Subjects always contain one or more of the following words: request, payment, urgent, transfer, enquiry. Simple, innocuous subject lines are less likely to arouse suspicion and are also harder to filter.”

When do BEC scams happen? Symantec also goes to pains to point out that the majority of BEC emails happen on weekdays. This is when businesses would expect emails and, perhaps more importantly, it is the only time when most financial transactions can be cleared.

So how much is the BEC market worth? In April, the FBI reported a 270 percent increase in victims of CEO fraud since the beginning of 2016, which has cost organisations over US $2.3 billion (£1.7billion) in the past three years.

The FBI estimates that organisations which fall victim to CEO fraud attacks lose between US $25,000 and US $75,000 on average (£18,500 to £55,000), but some companies are affected more severely.

Toy maker Mattel lost $3 million in 2015 as a result of a CEO fraud phishing scam. And an Austrian aerospace manufacturer recently fired its president and CFO after it lost almost €40 million (£33 million) to BEC fraudsters.

Troy Gill, manager of security research at AppRiver, said that a network hardware company called Ubiquiti was victim to one of these schemes in mid-2015, except instead of wiring tens of thousands of dollars, they were defrauded of $40 million.

“Hackers can merely glean all of the information they want about companies, to launch a business email compromise attack, by doing simple searches on social sites such as LinkedIn,” said Gill.

“For example, if you were to search ‘Marketing (Company Name)' on LinkedIn, you would not only see the company structure, but also the names and contact information for prime targets within the organisation. This information is especially useful in popular whaling attacks, such as wire transfer attacks where a hacker poses as a company CEO, CFO, etc. to try and entice a member of staff to perform a bank transfer, send personal employee information or even reveal customer details. The only way to keep a hacker from ‘stealing' this information (after all, you as a user willfully put it online) would be to not have a social media presence, or to go ‘off the grid',” he added.

Remember, tell your CEO what BEC is, or get them to read this story, please.