Business Email Compromise: 5 ways this fraud could happen and what can be done to prevent it

Millions of dollars and loads of personal information is being stolen through a growing threat known as Business Email Compromise (BEC).

Business Email Compromise: 5 ways this fraud could happen and what can be done to prevent it Millions of dollars and loads of personal information is being stolen through a growing threat known as Business Email Compromise (BEC).

TechRepublic's Karen Roby talked with Stephen Boyer of BitSight about Business Email Compromise (BEC) and what to do if a person falls victim. The following is an edited transcript of their interview.

Stephen Boyer: Business Email Compromise is really a sophisticated scam that targets businesses and individuals for a transfer of funds. So think of anyone who might be able to transfer funds in and out of a bank account, attackers will target them with a scam to get them to move money from the account of the business or the individual to the account of the attacker. But it's not just about funds; it could also be for stealing personal identifiable information that can be used in some other sort of scam.

SEE: How an IBM social engineer hacked two CBS reporters--and then revealed the tricks behind her phishing and spoofing attacks (free PDF) (TechRepublic)

Karen Roby: When you're talking about a company, whether it's a small business up to a huge company, you could be talking about a lot of money that someone is inadvertently transferring to a criminal.

Stephen Boyer: The threat can be massive. Actually, just last week, Nikkei, which is Japan's largest financial media company, announced that they had transferred 3.2 billion yen, which is a lot of yen, it's still a lot of dollars, about $29 million through one of these schemes. It can impact large organizations, global organizations, down to small. Also, just last week, a small town in Florida announced that they had fallen victim to one of these scams. A fraudster posed as a construction company and duped an employee to transfer about $700,000 to a fraudulent account. So it's really a global problem, attacking both small and large organizations.

Karen Roby: So why aren't we hearing about this as much as we do, say, ransomware?

Stephen Boyer: Ransomware was the celebrity issue of the time. But just recently, AIG, which is the world's largest cyber insurer, announced that Business Email Compromise has recently eclipsed ransomware in fraud. And so for the first time, it eclipsed it about a quarter of all the cyber insurance claims at AIG are now happening through Business Email Compromise. And an FBI report just talked about how Business Email Compromise had grown 100%, year over year, to over the last three years, it's accounted to about $26 billion in losses across the globe.

Karen Roby: Explain what the emails look and sound like.

Stephen Boyer: These fraud campaigns can happen a variety of different ways. They really kind of break down into five basic categories. The first one is what you would call bogus invoice. An attacker would send an invoice and say, "Hey, you owe us some money. You need to pay us this amount to this account." The person, maybe payroll or invoice processing, pays that and now the money is out. So that's really kind of bogus invoice. The small twist to that, that's now happening is the attackers are getting on the computers of those employees and changing the routing information of those legitimate invoices, and now the money is going to an account controlled by the attacker. So, not bogus invoice, but bogus account information.

The second is what we call CEO fraud or CEO impersonation, where the attacker pretends to be the CEO and then emails someone who's in charge of transferring the funds and will say something along the lines of, "Hey, it's urgent. We really need to pay this particular group. Please get this out right away and gives the information." That's pretending to be the CEO and directing the staff to do that. That's a second area.

The third area is what we call account compromise, which means either you fell victim to a phishing attack or some malware got on the systems, and now the attacker has legitimate access to the email account of the victim. Now they can send an email to a partner or an employee, someone else who may trust that because it's actually not a spoofed email, it's a real email, and then carry out the fraud from there.

The other one is data theft. It's not just about stealing the funds. It may be they steal personal identifiable information or other account information that can lead to other fraud. 

And then the last class, and the FBI has been talking more about this, is what we call payroll fraud or payroll diversion, which is the attacker will send a fraudulent, spoofed email to the HR teams, saying, "Hey, you need to now change my payroll deduction account information to this account." And then at payroll time, those funds go to the attacker's account. Or they're sending a fraudulent email to the employee saying, "Hey, log in here to update or change your payroll deduction information," and obtaining that information that way.

So lots of different varieties, but those are the five main classes of ways that the business email fraud is perpetuated.

Karen Roby: So we know we must train employees, Stephen, and keep our systems up to date. But what happens if you do fall victim?

Stephen Boyer: Immediately, you want to contact your financial institution, because they may be able to reverse that transfer. The earlier you detect it, you may be able to reverse that transaction and potentially get that information back. You obviously want to contact law enforcement, the FBI requests that, no matter the amount of the fraud, to please submit it to the Internet Crime Complaint Center or IC3, where you can put this information in and it's how they can track and understand it, but then also, it kicks off an investigation.

You obviously want to think about incident response, meaning, do you have a team internally, that can investigate what happened? Or maybe you hire an incident response firm that's going to truly understand, "How did the fraud happen?" "How did the attacker attack?" Because you want to make sure that you close that gap, whatever gap was exploited, maybe a vulnerable system or maybe the employee made a mistake, or maybe they lost their username and password. You want to understand what that problem is, so you could rectify and correct it.

The last one is remain vigilant because there may be follow--on attacks, other sorts of systems may have been compromised, so you want to keep a watch out. And then once the attackers have found somebody, they may keep going after them if they've been able to be successful.

Also see

20191119-boyer-karen.jpg