Executive officers, primarily CEOs and CFOs, are the targets in this type of attack. According to a previous BEC alert, businesses of all size are potential targets and the scam is not limited in geographic scope. Victim selection criteria is largely unknown.
Cybercriminals zero in on the target and employ social engineering or malware (potentially both) to take over the business email account. After the compromise, email correspondences are monitored by the criminal and information is gathered about travel schedules and other intelligence that would enable wire transfer fraud. As the alert calls out, the bad actor will often wait until the executive is on vacation to initiate the wire transfer request. The requests are well written and reflect the communication style of the executive.
Cybercriminals don't always take over the email account to attempt fraud, sometimes they will spoof the email address so that it closely resembles the legitimate business email address.
The following is an example of a BEC attempt; you’ll notice there are no grammatical errors or misspellings, which are common in other less sophisticated phishing attacks. This particular email was sent to a director in the finance department purporting to be from the CFO of the targeted company.
Figure 1. Example of wire transfer email scam
Victims and known losses
The Internet Crime Complaint Center first sounded the BEC alarm in a public service announcement in January of 2015, reporting the following statistics related to BEC attacks.
- Total U.S. victims: 1,198
- Total U.S. dollar loss: $179,755,367.08
- Total non-U.S. victims: 928
- Total non-U.S. dollar loss: $35,217,136.22
- Combined victims: 2,126
- Combined dollar loss: $214,972,503.30
What should you do?
Although criminals continue to circumvent security parameters there are some tactics you can deploy to help mitigate the risk of fraud related to business email compromise attacks. A few suggestions called out in the alert include:
- Verbal confirmation – ensure that vendors and executives are required to verbally approve transfers (use phone numbers that are known and listed in contact list for vendors)
- Vendor contact information of individuals approved to make payment changes should be kept in a hard copy file
- Limit number of individuals authorized to approve fund transfers
- Out of band verification and one-time pins
- Dual approval for all wire transfer requests - dollar amount thresholds, trading partner white lists, new trading partner flags
Security awareness training is another critical component of protecting your employees. Ensure that scam alerts are communicated and that the necessary tools are in place for employees to quickly and effectively report suspicious emails. Make sure reporting doesn’t mean that the suspicious email gets forwarded to a SOC mailbox that is never checked or managed.
Unfortunately, targeted phishing emails, such as the ones used in the BEC attacks, are becoming increasingly more common due to the high succes rates and ROI for cybercriminals. For more information on protecting employees, visit our Spear Phishing Protection service page.