This week, we begin a three-part series on the threats posed by Business Email Compromise (BEC) attacks. In Part 1, we’ll explain what BEC is and discuss various types of BEC scams. In Part 2, we’ll explain how cybercriminals launch a BEC attack, and in Part 3, we’ll discuss best practices for avoiding these types of threats.
Email is the preferred communication method for businesses around the world. It’s also the preferred attack vector for cybercriminals due to its ease of use and low cost, and since the beginning days of email, spam techniques have continued to evolve into a variety of sophisticated threats.
One particularly menacing threat that is continuing to grow in popularity is Business Email Compromise (BEC).
BEC attacks (also known as whaling, spear-phishing or CEO fraud) use various deception tactics to impersonate a trusted contact. They employ a combination of research and social engineering techniques to impersonate business executives, real-estate firms, title companies, law firms, and even the FBI in an attempt to elicit transfers of large sums of money or the exchange of personally identifiable information (PII), which can be used in future BEC attacks and other types of cybercrime. Victims of BEC attacks are often tricked into believing they are carrying out a routine transaction, such as filling an order with a supplier, transferring funds for an executive, or sending sensitive data to an HR representative.
With the exception of those with spoofed sender addresses, many BEC attacks are sent from valid email addresses using credentials obtained through phishing, brute force attacks, or data obtained in a database breach like the one that hit Yahoo in 2013.
BEC attacks often contain no malware, malicious links, or suspicious code. As a result, in many cases they are able to bypass traditional security measures, which makes them especially dangerous.
Watch Out for These Common Scams
Some of the most common examples of Business Email Compromise include:
- Real Estate Transactions: During a real estate transaction, criminals may impersonate sellers, realtors, title companies, or law firms to trick the home buyer into transferring funds into a fraudulent account.
- Data and W-2 Theft: Criminals use a spoofed or compromised executive email account to send fraudulent requests for W-2 information or other personally identifiable information to HR staff or others within the business who maintain confidential employee records.
- Supply Chain: Criminals send fraudulent wire transfer requests to redirect funds during a pending business deal, transaction, or invoice payment to an account controlled by organized crime groups.
- Law Firms: Criminals discover information about pending litigation or trusts and impersonate a law firm’s client to change the recipient bank information to a fraudulent account.
Over 41,000 Victims and Growing
The statistics are staggering. In July, 2018, the FBI released a public service announcement indicating that victims lost over $12.5 billion to BEC attacks between October 2013 and May 2018. In the United States, BEC attacks claimed over 41,000 victims during this five year period at a total loss of over $2.9 billion. In 2017 alone, the Internet Crime Complaint Center (IC3) received over 15,000 reports of BEC attacks with estimated losses of over $675 million.
Based on victim complaint data, BEC scams targeting the real estate industry are on the rise. From 2015 to 2017, there was over an 1100% rise in the number of victims of real estate BEC scams and an almost 2200% rise in financial losses. May 2018 had the highest number of real estate victims since 2015, and September 2017 reported the highest victim loss.
Recent High-Profile Incidents of BEC Scams
In 2013, Google and Facebook lost over $100 million in a scheme that impersonated a large Asian manufacturer.
In August, 2017, MacEwan University lost almost $12 million to a spear-phishing campaign that impersonated a construction and contracting company.
In June, 2017, a New York judge lost over $1M in Real Estate Scam that began as an email claiming to come from her real-estate lawyer.
And this week a report surfaced about a Dutch cinema chain losing over $21.5 million to a “strictly confidential” funds transfer request sent to the company’s CFO.
Despite efforts to raise awareness of these scams, a recent Gartner Research report indicated that BEC attacks will continue to be persistent and evasive, leading to large financial fraud losses for businesses and data breaches for healthcare and government organizations.
Why are Business Email Compromise threats so dangerous?
Business Email Compromise attacks are designed to bypass standard security mechanisms such as spam filters and anti-virus software, and are dangerous for a variety of reasons.
- They contain no malware. BEC attacks normally don’t contain malware. Instead, they use crafty social engineering to trick users into thinking they are legitimate.
- They are able to bypass many spam filters. BEC scams are often well-crafted with no spelling or grammatical errors. As a result, they are often able to bypass many spam filters.
- They are highly personalized. Scammers take their time researching the victim long before an attack is launched. They scour public websites, social media, and even the dark web to find specific information, including names and background information of company executives. Armed with this information and with knowledge of an executive’s writing style, their emails appear authentic.
What is being done to stop BEC attacks?
Recently, multiple countries launched a coordinated effort to dismantle international BEC schemes. This effort, known as Operation WireWire and involving the Department of Homeland Security, the Department of the Treasury, and the U.S. Postal Service, resulted in 74 arrests across multiple countries. Unfortunately, these attacks will continue as long as human nature can be exploited for personal gain. In fact, a recent report by Get Safe Online indicated that over a third (37%) of employees don’t know what to look for to identify common email scams. The report also stated that one in 20 email fraud victims were so ashamed that they hid their mistakes from their colleagues.
Businesses of all sizes must remain vigilant against these threats. As the old saying goes, knowledge is power, and knowing how BEC attacks are launched and how to identify and avoid them is key. We’ll discuss these topics in parts 2 and 3 of this series, so stay tuned!