Scammers and cybercriminals have a variety of tricks up their sleeves to try to obtain financial or personal information from their victims. One scam targeted at organizations is the Business Email Compromise (BEC). Also known as Email Account Compromise (EAC), CEO fraud, or whaling, this type of scam sends a fraudulent email to someone in an attempt to convince that person to share or reveal financial or personal information. A study released Tuesday by Symantec highlights the latest trends on this type of scam and offers advice on how organizations and employees and protect themselves from it.
A BEC scam can take a few different forms. The fraudulent email might tempt its victim with a request to buy physical or electronic gift cards. The email could masquerade as a legitimate business message with a request to update your salary or direct deposit account details. It could also ask for your personal or work phone number to provide further instructions.
In 2018, the FBI’s Internet Crime Complaint Center (IC3) received 20,373 BEC-related complaints, up from 15,690 complaints in 2017. Losses from BEC scams hit more than $1.2 billion in 2018, double the $676 million recorded in 2017. Since 2014, the number of victims and the amount of losses have steadily risen, according to the FBI’s statistics. On the positive side, the IC3’s Recovery Asset Team (RAT), which was formed in February 2018, has successfully recovered more than $192 million lost to BEC scams, according to Symantec.
SEE: Phishing and spearphishing: An IT pro’s guide (free PDF) (TechRepublic)
On average, 6,029 organizations were targeted by BEC emails each month during the 12 months from July 2018 through June 2019, Symantec’s report said. The scams could have affected all of those businesses had the emails not been stopped by spam blockers. On average, organizations received five BEC scam emails each month during the past 12 months. The top countries targeted by BEC scammers were the US, the UK, Australia, Belgium, and Germany.
How can BEC emails be identified? One clue lies in the subject line of the email. BEC scams aimed at businesses in the UK and the U.S. mostly had subject lines with the word “IMPORTANT.” Most BEC scams targeted at Australia, Spain, France, and Germany had payment-related subject lines such as “PAYMENT,” “NOTIFICATION OF PAYMENT RECEIVED,” and “PAYMENT DUE 8 DEC.”
BEC emails also use common keywords in the body of the message. Almost all of the keywords discovered by Symantec are designed to draw your attention or suggest a sense of urgency related to something financial. Some keyword examples are: “Transaction request,” “Important,” “Urgent,” “Payment,” “Outstanding payment,” and “Notification of payment received.”
Over the past 12 months, BEC scammers have typically used or spoofed popular free web mail services from which to send their fraudulent messages. Gmail, AOL, Yahoo! Mail, and Hotmail are among the top 10 email domains used and abused by these scammers.
Symantec also reported on the 10 most popular themes used by BEC emails in the last 12 months. These include:
- Apple iTunes gift cards. The scammer asks the potential victim to buy iTunes physical gift cards from a store.
- Apple iTunes e-gift cards to employees. The scammer asks the potential victim to buy iTunes electronic gift cards for fellow employees.
- Amazon gift cards: The scammer asks the potential victim to buy Amazon gift cards.
- Generic gift cards for clients and partners. The scammer asks the potential victim to buy physical gift cards to be distributed to business clients and partners.
- Personal or work cell phone number request. The scammer asks the potential victim for a personal or work phone number in order to text payment instructions.
- Same-day wire payment. The scammer asks the potential victim for details about the same-day wire payment process used by his or her business.
- Probing for international transfer limit. The scammer asks the potential victim for the daily limit on international transfers.
- Set up payment for vendor or supplier. The scammer instructs the potential victim to set up a payment for a vendor or a supplier.
- Salary issue. The scammer claims there’s been an issue with a direct deposit or a salary account and that the potential victim needs to update his or her account details.
- Urgent payment needed. The scammer demands an urgent payment, claiming to be in a meeting and unable to receive phone calls.
BEC scams have often hacked or spoofed the email accounts of a business’s CEO or CFO, sending fraudulent emails to the finance department in an attempt to trick employees into making wire transfer payments. But as scammers adopt artificial intelligence (AI) and machine learning (ML), these types of fradulent emails could become even more convincing, according to Symantec.
As one example, a scammer using AI or ML could target a senior financial executive or employee with access to the CEO and the ability to authorize money transfers. To verify the request for money, the scammer could use audio of the CEO during a phone call to convince the employee that the CEO is actually on the line ordering the transfer.
To guard against BEC scams, Symantec advises organizations to adopt the following best practices:
- Submit BEC samples to security vendors to help improve protection against these scams.
- Question any emails requesting actions that seem unusual or don’t follow normal procedures.
- Don’t reply to any emails that seem suspicious. Obtain the sender’s address from the corporate address book and ask about the message.
- Use two-factor authentication (2FA) for initiating wire transfers.
- Conduct user training to raise the overall awareness of BEC scams targeting employees.
- Educate employees on the latest threats so they remain vigilant against the potential dangers in their inboxes.
- Deploy BEC controls that include automated email sender authentication and impersonation controls that monitor susceptible employee email.
- Isolate the threats quickly to prevent them from infecting individual machines or the network.
- Analyze potential threats using analytics technologies that can detect the subtle differences between clean and infected emails.
- Use Digital Signatures that prove the authenticity of an email sender. Have your executives use digital certificates to sign messages. Further, ensure that recipients question emails appearing to come from the CEO when they are not digitally signed.
For more on the risks of phishing and business email compromise, check out “Lateral phishing: Hackers are taking over business accounts to send malicious emails” and “More than 3B fake emails sent daily as phishing attacks persist” on TechRepublic.