The Business Email Compromise threat
It's been called "the great white shark" of social engineering. But when your organization is targeted with a Business Email Compromise attack, it's more like being stalked by a pack of hungry velociraptors with a gift for disguise. Your predator works in concert with others--patient, observant, cunning, and murderously effective.
A long game of deception
According to the FBI, worldwide losses due to Business Email Compromise (BEC) reached $12.5 billion mid-2018. Tech giants Facebook and Google both lost $100 million in 2017 to a BEC scammer pretending to be a foreign manufacturer who worked with both companies. But even small organizations make attractive targets. And while the real estate sector has been especially hard hit recently, no entity is immune from this financial cyber threat. Even churches, schools and non-profits are potential marks.
BEC attacks are so successful because they don't rely merely on technology. Their strength lies in exploiting human vulnerabilities of complacency and presumed trust. BEC fraudsters pass themselves off as actual employees, executives and vendor contacts. It's a sophisticated, time-consuming scam to set up, but one that can pay handsome dividends when it succeeds.
Attackers employ malware, spoofing and phishing-emails and websites that mimic reputable companies, such as DocuSign login pages-to harvest employee credentials and passwords. With that access, the stalking begins in earnest. Hackers go to work researching your email threads, your processes and vendors. They familiarize themselves with the linguistic email styles of top executives and with organizational documentation. They might set up legitimate-seeming vendor websites with URLs differing only by a letter or hyphen from the real deal.
With the trap set, the scammers dangle the bait. Employees in human resources, payroll and finance departments receive urgent emails appearing to be from their superiors including requests for
- Wire transfers
- Payments on fake invoices
- W-2 information
- Payroll information
- VPN password resets
The appearance of legitimacy is total. Too often the ploy accomplishes the goal. The consequences to the organization are devastating, the losses-money wired to offshore accounts-often irretrievable.
Raptors in sheep's clothing
Global cybersecurity leader Trend Micro defines 5 distinct types of BEC scams, based on FBI statistics:
- The Bogus Invoice Scheme - often plays off an established relationship with a supplier. Request made via spoofed email, phone or fax for funds to be wired as payment on an invoice to a fraudulent account.
- CEO Fraud - scammer posing as C-level executive or legal representative initiates a wire transfer to an account they control.
- Email Account Compromise - a hacked employee email account is used to send requests to vendors in the employee's contact list for invoice payments directed to hacker's bank account.
- Attorney impersonation - scammer emails or calls employee or executive, posing as legal representative working on confidential, time-sensitive issues. Often timed at the end of day or work week to exert maximum pressure on employee to act quickly.
- Data Theft - the email account of an employee (typically in HR) is hacked and used to request personally-identifiable information of executives and employees.
Employees on your protective perimeter
Firewalls and security software can detect and stymie attack vectors like malware. The same time-tested social engineering tricks used by con artists for centuries, on the other hand, easily evade technical algorithms. That in no way renders your organization defenseless against BEC attacks, however.
The two most important tools you can employ to defend against Business Email Compromise are workforce security awareness training and multifactor authentication (MFA). There are additional concrete steps you can take to protect your business:
- Train and educate your executives and employees - especially your finance department - about CEO Fraud
- Buy domain names that are close variations on your organization name.
- Create email rules that flag emails with extensions that are close to your organization's (acme-corp.com instead of acmecorp.com, for example) or whose "reply to" address doesn't match the "from" address, and block auto-forwarding in email software.
- Require two-factor authentication for account log-ins.
- Be wary of vendor payment or wire transfer requests that are from new email addresses or involve new account or routing numbers.
- Watch for "urgent" or "confidential" requests for payment, particularly at end of day, end of work week, or before holidays.
- Require verbal approval for large wire transfers, ensure all wire transfers match a purchase order already in your system, and add multifactor authentication to your financial applications requiring identity confirmation to initiate a wire transfer.
- Protect electronic endpoints like laptops and smartphones with multifactor authentication - mobile fingerprints, biometrics, single-use password tokens, or digital certificates.
The most effective way to stop a BEC attack is to carefully evaluate EVERY request for funds or sensitive data. Your greatest security vulnerability is your people. Your job is to arm them with the most powerful tool that exists to combat security breaches: awareness.