An energy company in Texas was scammed out of $3.2M when an executive assistant paid a bogus invoice sent by a cybercriminal impersonating the CEO. The criminal had done his research, and he built trust by mentioning details he had learned through Facebook about the CEO’s commitment to his daughter’s soccer game.
In a scam that involved less money but is no less frightening, a cybercriminal conned an executive in the UK into transferring $243K to a fake supplier using AI-generated audio to impersonate the CEO’s voice. It is one of the three reported cases of deepfake voice fraud being used by scammers to trick companies into transferring them money.
This is modern day CEO fraud, also called Business Email Compromise (BEC), and your organization could be vulnerable.
US Businesses Lost $1.2 Billion to Business Email Compromise in 2018
You may think that a scam like this couldn’t happen to your company. After all, your employees are well-trained on the signs of common scams. Your internal networks are closely monitored, and you have a system of checks and balances on larger financial transactions.
And yet, the FBI received more than 20,000 BEC complaints in 2018 from US businesses, reporting losses totaling more than $1.2 billion.
That loss equates to nearly 77 instances of BEC per working day. And, according to reports, losses from BEC scams are expected to increase, in part because these scams require so little technical knowledge, are difficult to detect as they typically originate from a hacked internal email account, and can mean a hefty payout for cybercriminals.
A cybercriminal could snag, on average, $125K for BEC scams that leverage a fake invoice and $50K for BEC scams that impersonate a CEO. In addition to financial loss, cybercrimes like BEC can harm businesses in other ways, including the theft of financial data, intellectual property or employees’ Personal Identifying Information (PII), time and money spent on post-attack response, and damage to the company’s reputation.
Business Email Compromise 101
According to the US Department of Justice, BEC is a sophisticated scam that typically targets employees who have access to company finances, businesses that work with foreign suppliers, or businesses that regularly perform wire transfer payments. BEC is also known as Email Account Compromise (EAC), CEO fraud, or invoice fraud.
Despite what you may think, BEC scams don’t just target large, multinational corporations. In fact, the majority of BEC incidents (73%) reported in 2017 involved domestic transactions, according to the US Treasury.
Some of the more common BEC scam tactics are:
- An email impersonating the CFO or CEO that requests an immediate wire transfer for a confidential project, often while the executive is traveling or otherwise unavailable
- A bogus invoice that appears to come from a legitimate supplier but routes the funds to the cybercriminals’ accounts using fraudulent payment details
- A cybercriminal intercepting legitimate payments and convincing employees to switch the payment details to a fraudulent account
Unfortunately, many experts believe that the problem will only get worse. One cybercriminal ring was discovered with contact information of more than 50,000 financial executives in their database of potential targets.
The Making of a Modern BEC Scam
Modern day BEC isn’t just a random email sent in the hopes that a recipient will click on a malicious link. It is a carefully orchestrated fraud run by international crime groups that rely on hackers, lawyers, and linguists. To understand the whole, it helps to first understand the parts that make up this lucrative scam.
Researching the Target Company - BEC scammers do their homework, and in some cases, they may have gained access to the victim’s network long before the actual BEC attack and may spend weeks or even months studying the company’s structure, billing systems, and vendor relationships. They may also leverage social media to learn about employees’ personal lives and their communication styles.
Hacking or Spoofing Emails - Cybercriminals typically use one of two methods to execute a BEC scam. First, they may hack into a company email account and then use that compromised internal account to impersonate an employee or vendor partner and gain the victim’s trust. Second, instead of hacking into a legitimate email account, the attackers may spoof the identity of an employee or vendor. Spoofing is a method of altering the email header so the message appears to come from a different source.
Choosing the Right Moment - One critical component of a successful BEC scam is choosing when to strike, which may occur late on a Friday afternoon when employees may feel an urgency to finish their work, or when a CEO or executive is traveling or otherwise out of reach. The scammers may use information gained from their research on the company and its employees, such as referencing a personal fact or favorite activity to establish legitimacy, or using a same tone and language used by executive they are impersonating.
Initiating Contact - BEC scammers may start small by initiating a short, casual exchange with the targeted victim to get a better understanding of whether they are likely to comply. The first communication may be as simple as, "Hey, I need a favor" or "Hey, are you at your desk?" Scammers may ask for the victim's phone number to send payment details via text. In some cases, attackers wait and watch until they see an internal email exchange regarding a large financial transaction and then insert themselves into the conversation using fraudulent banking instructions to misdirect payments.
Stressing Urgency and Confidentiality - While it can be difficult to believe that an employee would send a large amount of money without communicating with their colleagues or perhaps even ignoring established policies, remember that cybercriminals often take advantage of the trust of the person they are impersonating to stress a high level of urgency and secrecy in the transaction. For example, an email message from the “CEO” may request an immediate, confidential transfer of funds for what appears to be a legitimate reason, such as an unexpected—and confidential—acquisition.
If the BEC scam is successful, these organized groups of cybercriminals often have established methods of laundering and transferring the money, making it difficult to trace.
It’s also important to remember that BEC scammers aren’t always looking for an immediate payout. They may use the same or similar tactics to obtain employees’ pay stubs, tax statements, or other personally identifiable information (PII) to later commit identity theft or tax fraud. According to the US Department of Justice, investigators discovered that BEC conspirators had stolen 250,000 identities and filed 10,000 fraudulent tax returns in an attempt to receive $91 million in refunds.
How to Better Protect Your Company from BEC Scams
Unfortunately, many of the solutions that companies implement in order to protect their systems against a cyberattack aren’t effective in guarding against a BEC scam. However, there are steps you can take to help better prepare your employees, monitor your systems, and safeguard large financial transactions. Some best practices to consider are:
- Use two- or multi-factor authentication for all key applications. According to experts, improving authentication protocols may be the most effective way to mitigate the risks associated with credential theft and compromise. One of the most secure methods is multi-part authentication that requires the use of hardware tokens and verification from a second device, but experts say even a simple SMS-messaging system to confirm credentials can provide some protection against BEC attacks.
- Implement a rules-based system to detect fraudulent incoming emails. Some options are: flagging any sender that uses a similar but slightly different domain name (such as abc_company vs. abc-company), flagging incoming email that uses a "Reply-To" address that is different from the "Sender" address, and color-coding incoming email to distinguish between internal and external messages.
- Establish policies for authorizing large wire transfers and unexpected payments. For example, consider verifying requests for large wire transfers only through a face-to-face conversation or phone call with a senior staff. For unexpected payments, consider including a requirement to authorize the transaction through a method other than email, such as a confirmation call made to an executive using their known cell phone number. It’s advisable to get the CEO and CFO’s buy-in for these policies along with an agreement not to punish employees who refuse to break the rules.
- Conduct frequent employee security training. Experts say that employee training and open communication are key to better detecting and avoiding BEC scams. Employees need to be trained to scrutinize all emails and to carefully verify all vendors. According to one report, companies who implement a comprehensive anti-phishing training program could reduce their susceptibility by more than half. It’s recommended to conduct security training frequently (more often than just during new employee on-boarding), including conducting simulated BEC attacks.
- Evaluate internal systems. Your IT department will know best how to better protect your company from BEC scams, but experts recommend that internal security systems should include intrusion detection, encryption of sensitive data, and the ability to monitor anyone who attempts to gain access to the company’s network.
- Set policies regulating the distribution of information. Remember that cybercriminals may attack in order to get information on your company or employees to commit identity theft or tax fraud, so ensure to set policies regarding access to and release of customer and employee Personal Identifying Information (PII), financial information, and intellectual property.
What to Do If You Believe Your Company Is a BEC Victim
There is positive news, even for victims of BEC. The FBI has established a Recovery Asset Team, which is a subdivision of the FBI’s Internet Crime Complaint Center (IC3) dedicated to helping businesses recover funds lost to BEC. The Recovery Asset Team reportedly recovered 75 percent of lost funds in its first year of operation for a total of $192 million.
The US Department of Justice advises victims of BEC to file a complaint online with the IC3 at bec.ic3.gov. The IC3 staff will review the complaints and refer them to the appropriate law enforcement authorities. The FBI also provides resources relating to BEC through the IC3 at www.ic3.gov.