Larry had been working in the accounting department of a medium-sized business for about a year and now had to hold down the fort while his boss Jack was traveling to another branch in the Midwest. Jack was keeping in touch through email, saying that his business meetings went well and that he urgently needed Larry to wire money to the accounts that he needed. And then Jack signed his email the way he always did. Larry had routinely performed these transfers and had no idea that it wasn’t Jack who had requested it. The next day Jack called and asked how the office was doing. Larry asked him about the transfer and only then learned about the compromise.While ransomware is proliferating, the biggest and most expensive cyber attacks (“71% of organizations experienced BEC attacks over the past year”) are still from Business Email Compromise (also known as “CEO Fraud” or “Man-in-the-Email scam”). This attack is over 62 times more profitable than ransomware.
The FBI reported on May 4, 2022, that BEC was responsible for over $43 billion in losses from June 2016 to December 2021, representing a 65% increase over that time (FBI statistics). These attacks are also more complex than ransomware, sometimes relying on weeks or months of preparation and three or four means of compromise, such as “phishing,” “spearphishing,” “whaling” and “vishing”(see below).
The FBI has defined BEC as:
“A sophisticated scam targeting businesses working with foreign suppliers and companies that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds”.
1. Hacker gains access to the email account of an important employee at a business through a phishing email, specifically targeted “spearphishing” email (sent to a company’s accounting executive or accounting employee), or a specifically targeted “whaling” email (sent to a C-level executive)–any of which the target employee has clicked. Alternatively, a victim may open an email attachment, which then downloads malware to give access to the victim’s computer. The hacker may then take control of an employee’s computer and perform financial crimes with it or steal (“exfiltrates”) sensitive data, which can then be sold, ransomed or posted to the Internet (“doxing”). (The FBI has a few other names: “Masquerading,” “Business Executive Scam,” and “Financial Industry Wire Frauds.”)
2. Hacker monitors the employee’s email inbox for weeks, perhaps months, gathering all the intelligence they need to carry out the attack. The FBI has also made note that the hackers may use auto-forwarding rules in their victim’s email account to further conceal their identities. Hacker may be imitating (“spoofing”) a company’s website domain name or using a lookalike email domain name.
3. When the executive in question is out for the day or on vacation (something about which the attackers have learned through his/her email), the attackers, posing as the executive, contact a lower level accounting professional (or someone else with access to business accounts) with a request for a banking transfer to the criminal’s account. The hacker may use genuine company financial documents. Voice calls (“voice phishing” or “vishing”) may take place to confirm certain transactions. Alternatively, the hacker may impersonate suppliers or attorneys (attorney impersonation) to request transfers (a.k.a Supplier Swindle or Invoice Modification Scheme).
4. The employee has worked with the executive for some time now, is accustomed to such banking transfers, doesn’t question the request and approves the transfer.
Who’s Been Hit?
Some of the big names hit by BEC:
- Facebook and Google (losses $121m)
- Ubiquiti Networks
- Government of Puerto Rico
- St. Ambrose Catholic Parish
- San Francisco Homeless Charity, Treasure Island
- City of Saskatoon, Canada
- Save the Children
- French cinema company Pathé
- Snapchat payroll information breach – this resulted in PII data exfiltration, i.e. pulling sensitive data from a computer or network.
- U.S. money transfer company Xoom Corporation
Some Recommendations for Preventing BEC
Accounting departments or professionals should institute privilege access management and use two-factor or multi-factor authentication (MFA) to approve account changes or wire transfers. These departments or employees should have a review process for banking or other transfers.
Organizations can also implement geolocation blocking for email account logins from restricted locations or unauthorized IP ranges, e.g. users in Asia or South America if the business has no remote users outside of the USA. They can login, but admins can setup alerts for this. Another use case is if an attacker gets a leaked password and manages to hack MFA, geolocation is effective for mitigation.
Additionally, the FBI recommends:
– As with any phishing email, verify that the email’s sender is who it claims to be and watch for links and content that are misspellings or different from the domain name in question. Beware emails or websites that look indistinguishable from real ones.
– Implement anti-phishing protections and up-to-date malware protection.
– Implement separation of duties to allow for independent verification of a task from a second employee.
– Implement labeling of external emails.
– Do not send any login credentials or Personally Identifiable Information (PII) by email, even if the request seems legitimate.
– Implement continuous and ongoing employee cyber training, about malware and phishing specifically. As with most cyber training for your staff, make sure they learn the signs of BEC, fake payment requests, required signatures on documents, etc.
The transition to remote work during pandemic restrictions is also believed to be partly responsible for the increase in BEC in the past two years. SMBs and organizations should report any breaches immediately to bec.ic3.gov.
Tech Kahunas know the needs of SMBs and organizations and will help prepare you against BEC.
We’ll stay on top of the threats.
We’ll watch your data.
We’ll review your risks.
We’ve got years of this.