“Amateurs hack systems, professionals hack people.”- Bruce Schneier, Computer Security Expert
INTRODUCTION
According to the Federal Bureau of Investigation (FBI), a Business Email Compromise (BEC) is a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. Download more info here.
There are five different types of BEC scams:
1. CEO Fraud: The scammer posing as the CEO, requests the finance department to transfer funds to an account managed by the scammer.
2. Account Hacked: The attackers hack an employee’s email account, then proceed to request payment for vendors to an account owned by the attacker.
3. False Invoice: Scammers posing as suppliers target foreign companies requesting funds to be transferred to an account under their control.
4. Attorney Impersonation: Generally, employees at a lower pay scale are targeted as they might not have the information to question the validity of the attack.
5. Data theft: Scammers target the Human resources department to gain access to sensitive info of top employees like the CEO. This information can be further used to do CEO fraud. More info here.
FBI special agent Maxwell Marker had said that BEC is a serious threat on a global scale and It’s a prime example of organized crime groups engaging in large-scale, computer-enabled fraud, and the losses are staggering.
BEC scam generally begins by
1. Getting an employee to click on malware that compromises the network
2. Impersonation of a top official in the company
EXAMPLES OF COMPANIES SCAMMED BY BUSINESS EMAIL COMPROMISE
“Social engineering bypasses all technologies, including firewalls.”- Kevin Mitnick, Cybersecurity Consultant.
Social Engineering is a manipulation technique that relies on human error rather than vulnerabilities in the system. So simply by manipulating you to believe that the CEO wants money to be wired somewhere, the attacker forces your hand, or by creating a sense of urgency the attacker successfully manipulates you into doing something. More info here.
1. A big commodity trading company was defrauded of $17 million as an employee with the company sent money in installments to a bank in China after being ordered to do so. The emails were purportedly sent by the CEO and the company’s outside auditing firm.
The email from the fake CEO looked like this:
“I need you to take care of this. For the last months, we have been working in coordination and the under the supervision of the Securities and Exchange Commission (SEC), on acquiring a Chinese company……This is very sensitive, so please only communicate with me through this email, in order for us to not infringe SEC regulations” More info here.
2. Another example of a fake email
“Glen, I have assigned you to manage the file. T521,” the fake message read.” This is strictly confidential financial information, which takes priority over other tasks. Have you already been contacted by Steven Shapiro (an attorney from KPMG)? This is very sensitive, so please only communicate with me through this email, in order for us not to infringe on SEC regulations. Please do not speak with anyone by email or phone regarding this.” More info here.
This was sent by the scammers claiming to be the CEO to the Director of Accounting of the same firm and unfortunately for the firm, the operation succeeded.
METHODS TO PREVENT BEC
“Even the bravest cyber defense will experience defeat when weaknesses are neglected.”-Stephane Nappo, Vice President, Groupe SEB
1. VOICE VERIFICATION
Voice verification is a simple yet effective tool to combat BEC scams, as individual requests like fund transfers, vendor payments, and invoice changes can be easily verified by picking up the phone and verifying. If the CEO wants you to wire money, just calling him and confirming the same could save the organization’s dollars. It is simple and effective.
2. RECOGNIZE RED FLAGS
Recognizing the red flags is critical to effectively prevent BEC scams. Red flags could range from misspellings to poor grammar, and a sense of urgency.
3. ENABLE MULTI-FACTOR AUTHENTICATION
Multi-factor authentication is critical to secure your systems even if a scammer acquires your username and password, one more authentication would be required to access your system.
4. RAISE AWARENESS
Training employees to detect BEC scams is paramount as the money spent by the company in training its employees would be much less than the money it could lose due to a BEC scam. Info source here.
CONCLUSION
It is evident from the above sections that Business Email Compromise could be detrimental to not only the financials of the company but also to its reputation and image in the market. It is essential that companies take serious cognizance of the issue and take the necessary corrective action to protect their businesses before it is too late. Image source here.
Gorisco has a wide range of experts who have various solutions to help organizations mitigate their risks and solve their problems.
At Gorisco, our motto is 'Embedding Resilience' and we are committed to making the organizations and their workforce resilient. Reach out to us if you have any queries, clarifications, or need any support on your initiatives.
To read our other blogs, click here. More importantly, let us know if you liked them or not through your comments.