Organizations Need to Prepare for Business Email Compromise
Business email compromise (BEC) continues to be a threat to organizations because cybercriminals continue to adapt their schemes to maximize financial gains. As a safeguard, companies need to make sure they adapt as well. Policy creation, training employees, and working with a vendor who specializes in combating these types of attacks is vital to prevent BEC.
John LaMorte didn’t think twice about the email he had received from the head of human resources asking him to update his withholding allowances. While he didn’t regularly receive email from C-suite executives, this seemed a reasonable request. As he began to complete the form with his name, address, social security number, family status, and the amount he wanted withheld from his paycheck for taxes, he let his supervisor know.
When he learned that his supervisor wasn’t aware of HR updating any records, John realized that he had almost been the victim of business email compromise. John was lucky that he caught his mistake before his information sold on the Dark Net, where criminals seek to profit from these type of thefts. He reported the incident to his company’s security department and also the IRS and the Federal Trade Commission.
BEC is an Ongoing Problem
Since at least 2013, the Federal Bureau of Investigation (FBI) has tracked and monitored business email compromise. Last month, the agency released a public service announcement with updated statistical data for the time frame October 2013 to May 2018. They reported that the magnitude of the scam was a whopping $12.5 billion worldwide. They also found that from December 2016 to May 2018, there was a 136% increase in global losses from attacks and that all 50 states and 150 countries had reported fraud. Victim complaints filed with the Internet Crime Complaint Center (IC3) spiked while fraudulently secured money has gone to 115 countries.
The FBI’s most recent report also showed that banks located in China and Hong Kong remain the top destinations of fraudulent funds, with some highly developed western countries becoming key destinations recently too. In addition, BEC continues to target small, medium, and large businesses alike as well as personal transactions. Based on this report, it’s clear that this threat is real and can cause significant financial implications for companies. In one example, toy manufacturer, Mattel lost $3 million to a sophisticated email scam. Their story is just one of many in which corporations have fallen victim to this type of cybercrime.
The Primer on BEC
In case you need a refresher, you should know that business email compromise is a carefully engineered scam where a criminal actor uses email to impersonate someone within a corporation (usually a high-level executive). The goal of the impersonator is to get an unsuspecting employee in the company to fulfill some request such as to transfer funds or deliver private employee information. Victims, spurred on by the title or authority of the impersonated executive, are usually quick to help, jeopardizing organizations and IT infrastructure security.
BEC actors often adjust the attack to target specific victims to garner the largest financial reward possible. That reward usually comes in the form of a transfer of funds to an offshore bank. In other cases, the personal information or security credentials of employees are sold to the highest bidder on the Dark Web, including one list of over 1.4 billion compromised usernames and passwords.
BEC Derivatives Keep Businesses Guessing
Organizations must continually adjust to each new variation of business email compromise schemes. For example, as quickly as authorities learned of cybercriminals using fake government emails to perpetrate scams, the crafty criminals began to impersonate tech support for software companies. The bad guys are continually adapting to breach the security of businesses. Most recently, some of the more notable tactics have included the following derivations:
Real EstateCybercriminals heavily target victims at all levels and dimensions of real estate including title companies, law firms, real estate agents, buyers, and sellers. Victims most often report a spoofed email sent or received on behalf of one of these real estate transaction participants. The bogus email contains instructions directing the recipient to change the payment type and/or payment location to a fraudulent account.
W-2 RecordsBeginning in January 2017, IRS’s Online Fraud Detection & Prevention (OFDP), which monitors for suspected IRS-related phishing emails, observed an increase in reports of compromised or spoofed emails requesting W-2 information. Sometimes these requests were followed by or combined with a request for an unauthorized wire transfer.
Impersonation of the Internet Crime Complaint CenterCyber actors have impersonated the Internet Crime Complaint Center (IC3). In this variation, the actors emailed victims requesting additional information to be paid by restitution. The scammers even went so far as to include hyperlinks to news articles, which detailed the arrest or apprehension of an internet fraudster.
Mitigating Business Email Attacks
There are many practices that businesses can take to mitigate losses due to business email compromise and other phishing scams. Ultimately, many of these measures rely on the flexibility of the company to adapt to the continually changing nature of the attacks and its commitment to employee education. The FBI recommends that businesses engage in the following practices to help safeguard against threats:
- Frequently monitor your Email Exchange server for changes in configuration and custom rules for specific accounts.
- Consider adding an email banner stating when an email comes from outside your organization, so they stand out.
- Conduct end-user education and training on BEC and how to identify scams.
- Ensure company policies provide for verification of any changes to existing invoices, bank deposit information, and contact information.
- Contact requestors by phone before complying with email requests for payments or personnel records.
- Consider requiring two parties sign off on payment transfers.
Cybercriminals Don’t Discriminate
Based on research by identity deception solutions provider, Agari, BEC scams are not discriminating based on industry, company size, or security controls. From simple display name attacks using free webmail accounts, to advanced multi-level and globally distributed ones, cybercriminals have a wide range of sophistication. Be sure to work with an IT security vendor that understands these threats and has the experience and expertise to combat them.