As technology advances, cyber-criminals are always on the lookout for vulnerabilities and loopholes in an organization’s IT system. One popular tactic they have employed over the past decade is the Business Email Compromise scam (BEC), which can cause significant financial loss and reputational damage to the victims. According to a recent Scam Activity Report from the Australian Competition and Consumer Commission, BEC scams have had the most impact on Australian businesses, resulting in a loss of $224 million in 2022. The situation is even worse in the United States, with Statista reporting a staggering loss of $2.74 billion in 2022 due to BEC scams.
What is a BEC Scam?
A business email compromise is a type of identity theft scam whereby the email account of a company or a corporate body is hacked, and the email account handler (usually a top-level executive) is impersonated for fraudulent purposes. The criminals Often hijack and redirect business transactions and financial benefits.
The attacker creates an identical email address of a transacting party in a bid to redirect conversations or transactions. Sometimes, the threat actors perpetuate the entire fraudulent activity within the hijacked email account, this continues until the criminal is denied access to the account. BEC scam often targets individuals and businesses who engage in legitimate transactions involving funds transfer.
BEC scams, however, are not always linked to hijacking a request for transfer of funds. Another less common approach involves breaching legitimate company e-mail accounts and demanding for employees’ personal identity data, including payee and tax records.
Although BEC scams are quite popular, unfortunately, people and corporate bodies often fall prey, with the reported victims list increasing significantly over the years. According to infosecurity, instances of documented business email compromise (BEC) incidents surged, marking an astonishing 81% uptick in 2022, while over the preceding biennium, they skyrocketed by an astounding 175%. A report by the International Crime Complaint Center, a unit of the FBI, states that named business email compromise is 64x worse for businesses than ransomware. The FBI further reports a global loss of over 50 billion dollars to BEC scams between 2013 and 2022.
BEC scams are borderless, as they have been reported in about 177 different countries, with fraudulent wire transfers made to at least 140 countries.
How BEC scams work
It has been established over time that BEC hackers follow a specific pattern in perpetrating scams, notwithstanding the eventual outcome.
- They identify a potential victim
- Email hack
- Act of impersonation or Spoofing
- Execute a fraud
Identify a potential victim
What makes a BEC scam different from other email scams is the level of personalization the scammers adopt. A BEC threat actor seldom send random emails or phishing campaigns to multiple emails. They are rather more specific, hence the need to first identify a possible target.
The cyber-criminal looks for a target using publicly accessible information in the first phase of a Business Email Compromise scam. They identify a possible victim or company online and then get detailed and reliable information about their target on their social media profiles, About page, and website.
According to a reported Barracuda study, BEC scam attackers target up to six employees on average, and about 94.5% of all BEC attacks target less than 25 people in an organization. Usually, a C-suite staff is targeted; however, other employees in sensitive positions like fiance and HR are also major targets of BEC scams.
Email hack
Following the potential target identification, the attacker utilizes multiple methods to invade the company’s email environment: social engineering, ransomware, spear phishing, keyloggers, or brute force. The attacker’s objective is to gain access to login credentials and email accounts of the most crucial departments in an organization.
For instance, having access to the accounting department email could potentially lead to funds diversion and wire fraud, just as hacking into the HR email could give the attacker access to unlimited personal information.
Act of impersonation
Similar to other email scams, Business Email Compromise (BEC) attackers frequently employ impersonation tactics. This may involve posing as a high-ranking executive, a business partner, or even a supplier. By assuming someone else’s identity, the attacker manipulates the target into complying with their requests, as they mistakenly believe they are interacting with a trusted individual.
It is worth noting that BEC impersonation is not solely an external act. According to a recent security report, 48% of all BEC attacks involve internal impersonation. This means that protecting against BEC attacks involves not only guarding against outside threats but also employees who may pose an internal threat. It is important to be vigilant against all potential sources of BEC attacks.
Spoofing
Within the realm of BEC scams, email spoofing serves as a vital tool for cybercriminals, enabling them to assume false identities and present their fraudulent messages as authentic communications from reputable sources. By skillfully altering the email header details, such as the “From” field, scammers create a facade that tricks recipients into believing they are receiving legitimate emails from trusted individuals or organizations. This manipulation aims to deceive and exploit the victims, heightening the likelihood of their unwitting cooperation with the scam. Report suggests that Nearly half of all BEC scams result from the spoofing of an individual’s identity; while 68% of BEC attempts involve spoofing an organization.
Attackers can sometimes alter the domain by a single character in a partner’s email address or trusted sender. For example, they can delete a letter that appears twice in a word or substitute a lowercase “L” with an uppercase I, resulting in the generally indistinguishable “l.”
For instance, the attacker might use Kehl.richy@educatlon.com instead of Kehl.richy@education.com. Without paying close attention, it is easy to be deceived into believing both domain names are the same.
Execution
Having observed work patterns and email correspondence from the company within a time frame, the threat actor finally executes the BEC scam. This is usually done by sending an email requesting something urgently (money or information).
After successfully deceiving the victim and persuading them to carry out the desired action, such as initiating a fund transfer, the cybercriminals swiftly proceed to launder the illicitly obtained funds. This process involves utilizing diverse channels, frequently including the involvement of intermediaries known as money mules or leveraging cryptocurrency transactions to obscure the traceability of the money. By employing these methods, the perpetrators aim to evade detection and make it significantly challenging for authorities to track and recover the stolen funds.
Types of BEC scam
Account Compromise
During August 2019, news of a significant BEC scam circulated, revealing a staggering loss of over $37 million. This particular incident unfolded rather smoothly and swiftly. A malicious actor, posing as a trusted business partner of the targeted company, initiated a series of emails to the finance and accounting department representatives. These emails demanded the transfer of funds to a specific bank account controlled by the cybercriminal. Exploiting the pre-existing business relationship and pending transactions between the company and the supposed partner, the request appeared legitimate. Regrettably, the victimized company in this case was none other than the renowned automobile giant, Toyota.
Account compromise is among the most damaging types of Business Email Compromise. Account compromise occurs when an attacker obtains login credentials and hacks into the email account of a business or corporate body.
This mostly happens through a phishing attack; however, credentials can also be acquired on the dark web. After an account compromise, the attacker is then able to manage the account by changing the password or having complete unrestricted activities and exchange of information on the account. This can be very dangerous as an attacker may lurk undetected and gather vital information for a long time.
Almost every BEC scam begins with an account compromise.
CEO Fraud
According to a reported Wall Street Journal article, Frank Krasovec, the chairman of Dash Brands, which owns Domino’s Pizza franchises in China, unknowingly had his email hacked, which resulted in a loss of $450,000. He obtained a 1 million dollars’ personal line of credit from Plains Capital Bank, and a few months later, he traveled on a business trip. When he returned, he realized that the money was missing. It was later realized that his email was hacked, and someone posing as him and through his email account had asked his assistant to wire the money to a Hong Kong account.
In a typical CEO fraud, the attacker poses as the CEO or executive of a company, probably after hacking and having access to their account. They then email an employee or associate with relevant control over finance, instructing them to transfer funds to an account the attacker will provide.
Attorney Impersonation
In the realm of corporate dynamics, attorneys hold pivotal roles that require utmost trust and confidentiality. Unfortunately, this trust can be exploited by malicious individuals who assume the guise of an attorney to manipulate unsuspecting employees. In this scenario, the attacker skillfully impersonates a company’s attorney, leveraging the authority and credibility associated with the legal profession.
Typically, their targets are employees with lower levels of knowledge and familiarity with legal matters. Exploiting this knowledge gap, the fraudster employs persuasive tactics to convince these employees to comply with their requests, all while operating under the false pretense of being an attorney. This deceptive approach allows the attacker to manipulate the situation to their advantage, potentially leading to detrimental consequences for the targeted individuals and the company as a whole.
False or Bogus Invoice Scheme
In 2018, the North Carolina County of Cabarrus in the US lost over one million dollars to some BEC scammers who posed as representatives of Branch and Associates, a contractor building a new high school. The attackers, posing as representatives of the contractor, sent emails to the Cabarrus County Government with fake documents requesting an update of bank account information with the government. Unknown to the government, the account update meant that any money paid would be paid into an account controlled by the attackers.
The false invoice scheme is also known as a partner impersonation scam. Here, the attackers impersonate a business partner or supplier of a company to divert and hijack payments meant for the original partner.
Data Theft
Data theft BEC scam typically targets HR employees who have access to personal and vital information of the company and other employees within the system.
Information such as phone numbers, email addresses, passport, social security, driver’s license, salary account details just to name a few. Information and data obtained through this scam could be used for further attacks like CEO fraud or Payroll fraud.
Payroll Diversion
Although this was not so common in the past, the FBI reports of payroll diversion have been on the rise recently. Complaints suggest that the human resources or payroll department of an organization receives phishing emails that appear to be from workers requesting a change to their bank deposit account. A Barracuda report indicates that 8% of BEC scams involve payroll scams.
How to Identify BEC Scam
BEC scams are mostly based on human errors and personal frailties rather than technicalities. Hence, identifying a potential scam should be more of employee awareness, extreme caution, and carefulness in handling tasks and resolving requests.
Here are a few warning signs that would help you identify a BEC scam
- You receive a message from a top-level executive or a partner with a tone of urgency. According to a Barracuda study, BEC emails are often written to push the target into making a fast-mistaken decision. They revealed that 85% of messages were marked as urgent, 59% requested help, and 26% made inquiries.
- The message urges you to disregard normal company procedural rules, and hierarchical command and authorization.
- You receive a message prompting you to change certain sensitive or personal details.
- You notice any error, no matter how slight, in the sender’s name, message, or information they should reasonably know.
How to Protect Yourself Against BEC Scam.
There are various measures to prevent a BEC scam, and they should always be religiously adhered to. Importantly, the structure of a BEC scam is such that it is impossible to have one solution, like installing software, etc.
- Periodically organize training to remind your employees and yourself of the dangers and workings of BEC scams. The frequency of the training will keep everyone alert at all times.
- Carefully scrutinize all email requests for transfer of money and documents. Also, watch out for identical domain names appearing to come from legitimate and familiar sources.
- Always physically verify any request to transfer money or data or change any information. Confirm from the person verbally or contact them through a known phone number.
- Always save emails and conversations, especially those containing sensitive information.
- Implement multi-factor authorization on IT infrastructure.