Company-Wide Policy Needed to Mitigate Business E-Mail Compromise

An analysis of 3,000 Business E-Mail Compromise (BEC) scam campaigns showed that a company-wide policy is needed to mitigate this threat.

What Is Business E-Mail Compromise (BEC)

Business E-Mail Compromise (BEC), also known as CEO fraud, refers to a sophisticated scheme that tricks an organization into paying a sum of money to a scammer.

BEC Threat Scenario

After analyzing 3,000 BEC scam campaigns, Barracuda Networksfound that the term “CEO fraud” in referring to this type of cybercrime has justification as 43% of the impersonated email senders were the CEO or founder.

The Barracuda Networks study, however, found that the majority or 57% of the impersonated email senders weren’t the CEO or founder. Out of the 57% impersonated email senders, 4.5% were C-level executives, 2.2% CFO, 2.2% Finance/HR and 48.1% other employees in the company.

“As you can see, almost half of the impersonated roles and more than half of targets are not of ‘sensitive’ positions, such as executives, finance or HR,” Asaf Cidon, vice president of content security services at Barracuda Networks, said. “Therefore, simply protecting employees in sensitive departments is not sufficient to protect against BEC.”

Barracuda Networks also found that 46.9% of BEC scammers’ main purpose in impersonating email senders was to trick the recipients to do wire transfers to bank accounts owned by the scammers, while 40.1% of BEC scammers aimed for recipients to click malicious link, 12.2% aimed to establish rapport and another 12.2% aimed to steal personally identifiable information, such as W2 forms that contain social security numbers. 

The Barracuda Networks study found that in the vast majority of cases of the “rapport” emails after the initial email is responded to, the scammer will then ask the recipient to do a wire transfer.

The study also found that 60% of BEC scam campaigns only contain plain text with no links. “These plain text emails are especially difficult for existing email security systems, because they are often sent from legitimate email accounts, tailored to each recipient, and do not contain any suspicious links,” Barracuda Networks said.

The Canadian Anti-Fraud Centre (CAFC)observed the following types of BEC schemes in Canada:

• BEC scheme #1: Involves spoofedFootnote 2 or compromisedFootnote 3 e-mail accounts belonging to high-level executives where an e-mail is sent from that account to another employee, often someone who conducts financial transactions for the company, requesting them to conduct a wire transfer for what appears to be a valid business reason.

• BEC scheme #2: Involves businesses that have well established relationships with suppliers. The criminal, using a spoofed or compromised e-mail account of the business, requests the supplier to provide payment via wire transfer to a fraudulent account.

• Other BEC scenarios: These include: requests for data such as tax information to later be used for fraudulent activity; requests for a “legitimate” invoice payment only to be discovered as false when the actual vendor calls seeking status of an invoice payment; and malicious actors contacting businesses and disguising themselves as lawyers claiming to be handling confidential or time-sensitive matters. There are additional variations of BEC, with new schemes being developed regularly.

In impersonating email senders, BEC scammers either spoofed or compromised e-mail accounts. In email spoofing, an attacker forges an email header so that the message appears to have originated from someone that the recipient knows although, in reality, the message comes from the attacker. In a compromised email, an attacker gains access to a legitimate email account and uses this account to impersonate the owner of the email account.

The U.S. Federal Bureau of Investigation (FBI), meanwhile, observed the following types of BEC schemes worldwide:

• Business Executive: Criminals spoof or compromise e-mail accounts of high-level business executives, including chief information officers and chief financial officers, which result in the processing of a wire transfer to a fraudulent account

• Real Estate Transactions: Criminal impersonate sellers, realtors, title companies, or law firms during a real estate transaction to ask the home buyer for funds to be sent to a fraudulent account

• Data and W-2 Theft: Criminals, using a compromised business executive’s e-mail account, send fraudulent requests for W-2 information or other personally identifiable information to an entity in an organization that routinely maintains that sort of information

• Supply Chain: Criminals send fraudulent requests to redirect funds during a pending business deal, transaction, or invoice payment to an account controlled by a money mule or bad actor

• Law Firms: Criminals find out about trust accounts or litigation and impersonate a law firm client to change the recipient bank information to a fraudulent account.

Prevalence of BEC Scams

According to the Internet Crime Complaint Center (IC3), between October 2013 and December 2016 alone, BEC scammers have stolen over $5 billion dollars from unsuspecting victims worldwide, including Canadian businesses.

The Canadian Anti-Fraud Centre for its part said that out of over 40 fraud types reported to the center, BEC is the second highest for monetary loss.

BEC Scam Prevention 

Here are some measures in preventing BEC scam:

-Wire transfer request via email should be treated with caution. The recipient should confirm the legitimacy of the wire transfer request before acting. Consider a 2-step verification process for wire transfer payments. Payments should never be made without in-person conversation or phone call.

-Same goes with request via email for personally identifiable information, such as W2 forms that contain social security numbers. This should be treated with caution and the legitimacy of this request should be confirmed before acting.

-Provide regular staff training on how to spot BEC attacks and how to stop them. It’s important to train the staff on a regular basis as BEC techniques are evolving.

-Use an email protection system that automatically stops spear phishing and cyber fraud attacks that would lead to a successful BEC scam.

When you need help, our security experts are a phone call away. Call today for a free consultation (416) 920-3000