A woman who worked in accounts for Peebles Media Group was sacked and is being sued because she was scammed. The scam is known as Business Email Compromise (BEC).
BEC is where an old-world style ‘sting’ meets the digital world. It is a perfect example of the use of “social engineering” to carry out fraud.
At last count, the FBI evaluated the global losses due to BEC crime to be around $12.5 billion USD (£9.6 million GBP). The total number of victims to May 2018 was 78,617. No doubt, when these figures are refreshed those numbers will climb.
But what is Business Email Compromise and why should a business be worried?
A Breakdown of Business Email Compromise
Trust is a wonderful thing; it helps us in our daily lives to build relationships. Without trust, we would be stifled in carrying out transactions. Trust is something that we carry into our online lives too. We have to trust services to do work with them. Trust is the lubricant that makes the BEC scam work.
At the core of a BEC scam, is money. The scammer’s aim is to get a company to move money from their bank account to the scammer’s account. How they do that is like this:
Step 1: Know Your Customer Victim
The scammer will carry out surveillance on your organisation. They will take their time to get to know your company, who runs it, how you operate, your partners and business associates. Much of this they can find out online or by doing some digging.
This stage may also involve some phishing of a different kind. BEC scams require a degree of trust and they often use existing relationships to propagate the crime. For example, relationships that revolve around the CEO of the company. BEC often involves disguising communications, like emails, to look like they have come from the CEO. Sometimes they may even involve email account takeover, but not always. To achieve this, the scammer will need access to intimate details of the CEO or other C-level. Calendars and schedules are useful targets. Spear phishing emails can be used to trick the target into revealing their login credentials.
All of this surveillance and intelligence on the victim goes into the scammers hat to use in the BEC scam.
Step 2: A bit of social grooming
The success of a BEC scam depends on tricking a human being. So, the best way to do that is to ‘groom’ that individual by using trust. The scammer will identify their ‘mark’ and go in for the kill. The person of choice is usually someone in the accounts department who is a key person and can perform money transfers.
Step 3: The Sting
Once the scam ducks have been lined up for the Business Email Compromise
Scam, the scammer goes in to do their work. This usually involves, at some point, an email and usually is of the following types:
- CEO Impersonation: The email account of the company CEO may, or may not, be hijacked. Hijacking carries some degree of risk of being noticed before the scam has fully executed. So, impersonation is often the lower risk tactic. The scammer will, instead, create a domain which looks like the company domain. For example, acmeco.com would become acmec0.com. The real CEO email e.g., email@example.com will be mimicked by using firstname.lastname@example.org.
- Invoice spoofing: There are a number of versions of this, all involve the use of an invoice to get a fund transfer to happen.
In one variant, a finance department employee is spear phished. Their email account is compromised and the scammer watches for invoices attached to emails in and out of the account. When they find a suitable one, they intercept it, make changes to the invoice, then send it on its way to accounts payable.
In another variant, they use the same method of spoofing the CEO account, but this time from a vendor. The spoofed email is used to send a spoof invoice.
Step 4: Ker Ching!
The BEC scammer cashes in the funds and away they go to carry out the crime on some other unsuspecting company.
How to Stop Your Company being Scammed by Business Email Compromise
This is a crime that pays. So, it is not going away. Technology solutions will not solve this crime because it is based on social engineering. Technology can help, but only to augment education of your staff about the seriousness of BEC crime. Here are a few tips to raise security awareness amongst staff and to help prevent your company from becoming a BEC victim:
- Making everyone aware of Business Email Compromise. Making staff aware of the existence of these types of security threats is the best place to start. BEC scams work on manipulating human behaviour. Awareness of the problem is the start of dealing with it. Use security awareness training and phishing simulation exercises with all staff and focus on the use of BEC scams with your finance department staff.
- Double-check important decisions. Set in place a company policy that double-checks decisions that involve a financial transaction. This can be a simple phone call to make sure the email was from the person it said it was from. If you think this is going to be too much hassle, place a limit on the policy. For example, if the amount is over a certain value, then it needs the CEO or CFO to confirm, verbally, that it’s ok to process.
- Control similar domains. Cybercriminals will buy up domain names that are similar to the target domain. Write down all of the domains that look like yours and attempt to purchase them to take them out of the market.
- Patch. Sometimes malware is used to steal credentials to allow the BEC scam to happen. Keep your devices and software fully patched to help prevent malware infection.
The likelihood is that Business Email Compromise scams are here to stay. They have been working, so cybercriminals will continue to milk this technique to extract money from a company. By being vigilant and educating your staff you can minimise the chances that you will end up a BEC victim.
Want to help safeguard your organisation against BEC scams? Sign up for a free security awareness training demo, today.