BEC scams: What are they and how can you keep your business safe from them?
Welcome to Threat Intel’s #WednesdayWisdom column, a weekly read to help improve your cybersecurity knowledge and keep you informed on important developments.
Business email compromise (BEC) scams have grown hugely in recent times.
A public service announcement from the FBI this summer revealed that there had been a 1,300 percent increase in identified exposed losses attributed to BEC scams since January 2015. BEC scams have been reported by victims in all 50 states in the US and in more than 100 countries worldwide.
More than US$3 billion has been lost to BEC scams over the last three years, with more than 22,000 victims worldwide.
What are BEC scams?
BEC scams, also commonly known as CEO fraud or ‘whaling’, are a form of low-tech financial fraud that involves spoofed emails being sent to financial staff. The scammers typically pose as C-level executives, most commonly the CEO, requesting significant money transfers.
This fraud can reap significant financial rewards for the scammers.
According to the FBI, scammers generally use social-engineering techniques to study their victim prior to initiating the BEC scam.
The law enforcement agency says there are five main scenarios used to carry out BEC scams:
1. Businesses working with a foreign supplier
2. Business executives receiving or initiating a request for a wire transfer
3. Business contacts receiving fraudulent correspondence through compromised email
4. Business executive and attorney impersonation
5. Data theft
Let’s take a look at each of these scenarios in more detail.
Businesses working with a foreign supplier
This scenario sees a business that has a long-standing relationship with a supplier being asked to wire funds for invoice payment to a fraudulent account. Scammers will spoof the email to make it look like it comes from a legitimate account, making it very difficult to spot it is fraudulent. Scams like this can also be carried out over the phone or through fax.
Business executives receiving/initiating request for a wire transfer
This technique sees the email accounts of high-ranking executives like the CEO of CFO hacked or spoofed. The compromised or spoofed account then sends a request to someone else in the firm asking for a wire transfer or, in some instances, an urgent transfer of money to be sent directly to a financial institution.
Business contacts receiving fraudulent correspondence through compromised email
This situation occurs when an employee’s personal email account is hacked and used to send requests for invoice payments to vendors used by the employee’s company. The company may only become aware of the compromise if they are contacted by the vendors about the invoice.
Business executive or attorney impersonation
Victims have reported being contacted by fraudsters who say they are lawyers and who pretend to be handling sensitive or time-critical information. The scammers may contact the victim over phone or email, often pressuring them into transferring funds in a quick or secretive manner. These types of scams may be carried out at the end of the working day or week, to coincide with when banks close.
Data theft
Data theft is relatively new for BEC scams, according to the FBI, and sees fraudulent requests sent using a business executive’s compromised email account. In this new development, the human resources, book-keeping, and auditing departments of businesses have been targeted. Often, in these scenarios, scammers don’t request a wire transfer but look for wage or tax statements or a company list of personally identifiable information (PII).
What else do we know about BEC scams?
Analysis by Symantec earlier this year found that 38 percent of BEC scam victims were small or medium-sized businesses. It also found that emails are generally sent Monday to Friday, to follow a standard working week. Emails also usually have innocuous subject lines: ‘Request’ was the one most commonly identified by Symantec (25 percent), followed by ‘payment’, ‘urgent’, and ‘transfer request.’
More recent research has found that now, rather than asking for a request straight away, scammers are using informal language to check if a victim is at their desk or sometimes to find out more information, before requesting the wire transfer.
How to stop your business becoming a victim
BEC scams can have serious implications for businesses and individuals. In a recent case, the head of the Austrian aerospace parts maker FACC was fired after the company was hit with a BEC scam that cost it €42 million (US$45 million).
Education and awareness among all employees is key when it comes to BEC scams. You should also adhere to the following tips:
- Be suspicious of emails that demand some action without following usual procedures
- Draft a reply with the supposed sender’s email obtained directly from the corporate address book, instead of simply hitting the Reply button, to ensure that the scammer is pushed out of the reply thread
- Do not reply to suspicious emails and do not give out sensitive information
- Report suspicious or obviously bogus emails to the proper authorities
- Report to financial authorities and law enforcement agencies if you suspect that you have been a victim of BEC fraud
- Use two-factor authentication for initiating wire transfers
Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cybersecurity.
