Preventing Business Email Compromise Attacks

Business Email Compromise (BEC) is a sophisticated scam that continues to grow and evolve. These attacks target people, within a business, who regularly perform wire transfer transactions. The FBI reported a significant increase in losses, in excess of $1.6 billion dollars targeting businesses of all sizes from October 2013 to December 2016 - one fifth of those in the last seven months of 2016.

The objective of scammers using BEC is to trick someone into making a large wire transfer into a bogus account, usually foreign. Most companies targeted are in the United States, while accounts receiving the wire transfer funds are located outside the United States, in less than friendly or cooperative countries. This is key when trying to have funds returned. The transactions closely mirror normal business practices by the company targeted. It is not uncommon for a CEO to request a wire transfer nor is it uncommon for a supplier or customer to email a change to their bank account. Telling the difference between a fraudulent BEC email and a legitimate business request can be very challenging.

Compromising an email account, preferably a user with some level of approval authority or their executive assistant, is a first step. This is usually accomplished using social engineering techniques or computer intrusion. Human error is the primary cause of most intrusions. Phishing, or the sending of well-crafted fraudulent emails with malicious attachments or links to malicious websites, allow an attacker to compromise the email account. Actors will perform reconnaissance in the compromised email account for weeks to observe the wire transfer request and approval process between employees and their financial institution. They know exactly how the process works and how to make a request appear legitimate.

Before an attack, prepare and prevent.

  • Security awareness training is key! People are your best and most reliable asset. Cybercriminals research their targets. They know you, your website, and your social media accounts. Also, half of all BEC scams target a CFO or accounting user. Potential targets, executives and employees all the way down the chain, need to be educated about the threat and have the tools to fend them off. Teach them about phishing and social engineering. And teach them again. The human error component is critical. Don’t click! Seriously, don’t click if you aren’t sure where an email originated from.
  • Also, policies and procedures for the proper way to conduct business using email are a must. Never take direction solely from an email, especially if that email transfers money out of a company account. The key to preventing is to pick up the phone. Call the customer or the supplier with the contact number you have on file. Make sure the request you received from them was actually from them. All financial transaction requests via email require additional scrutiny and confirmation.
  • Technology can also help. Advanced threat protection, including anti-virus and anti-malware detection, email and web filtering for all employees. Technological controls are a necessity not a luxury. Consult with leading Information technology experts to understand what tools are right for you before an attack.

If this does occur, there are some steps to take to recover. Documenting and reporting the attack to your financial institution, the local FBI office and the FBI’s Internet Crime Complaint Center are your first steps. More information about what details to report can be found at the FBI’s IC3 website public service announcement on BEC. Evaluating why the attack was so successful is also important.

Assess your cyber-security tools and your security awareness training for gaps on an ongoing basis. Threat actors morph and change, and we must as well. Beat them at their own game.