In this age of rapidly expanding technology, where the hacker persists one step ahead of the cybersecurity curve, business email compromise (BEC) remains a low-tech but highly lucrative card in the cyber criminal deck.
According to an alert issued by the FBI, over the past two years internet swindlers have managed to pilfer $2.3 billion dollars from companies using variations on low-tech social engineering cons called BEC.
FBI special agent Maxwell Marker stated: “BEC is a serious threat on a global scale. It’s a prime example of organized crime groups engaging in large-scale, computer-enabled fraud, and the losses are staggering.”
How does BEC work?
There are several variations of the scam all seeking the transfer of money or sensitive information to the cyber criminal via legitimate-seeming directives from spoofed email.
BEC fraud is generally based on some form of malware intrusion, key-logging program, or phishing scam used to infiltrate and compromise the email integrity of company employees.Unlike traditional phishing scams, spoofed emails used in BEC schemes are unlikely to be caught by spam filters as they aren’t mass e-mailed. It is the targeted nature of BEC scams that also lend to their viability as social confidence schemes as the cyber criminal network may spend weeks educating themselves on the inner financial workings of the target company. This way, when the time comes to orchestrate the fraud, the criminal may rely on their familiarity with operations and even specific personnel to lend credibility to their ruse.
In general all BEC relies on the social proof paradigm for influencing people. Official-looking scam emails are sent to customers from a compromised business, for the purpose of eliciting payment to the scammers fraudulent account. One such example, commonly called the “supplier swindle” generally involves the use of a trusted vendor. Relying on an existing rapport, the criminal is able to get the victim to voluntarily pay fraudulent invoices via the spoofed email. The same use of social factors is true for another version of the same scam, called “masquerading” or “CEO fraud.” In this version, the email spoofing swindler disguises themselves as a high-level executive, requesting a prompt and discrete money transfer for a legitimate business reason. A similar act occurred in 2014 when the Ameriforge Group Inc. Director of Accounting was convinced to wire $480,000 to a bank in China by an email scammer impersonating Ameriforge’s own CEO. The company is still working out recompense with its insurers.
The object of all BEC scam is not necessarily money. What may turn out to be the largest and most wide-reaching cybersecurity breach in recent history occurred in 2015 when Chinese-based hackers infiltrated the U.S. Office of Personnel Management, accessing the sensitive information of over 21.5 million federal employees who had undergone background checks. Hackers accessed information including, social-security numbers and over 5 million fingerprints. These numbers may increase as the investigation into the multiple sustained breaches, which siphoned off delicate information over the course of weeks, continues. Investigators suggest hackers gained access to OPM’s local area network by stealing the credentials of an employee of KeyPoint Government Solutions, a contractor used to conduct background checks, then uploading malware allowing for the ex-filtration of data. The OPM hack may have far reaching implications. As the personal data of millions of past, present and prospective government employees remains compromised, leaving them open to identity theft or coercion. The OPM hack has already lead to the resignations of OPM Director Katherine Archuleta and CIO Donna K. Seymour.
How to avoid becoming a victim?
- Scrutinize all email, particularly those received from any C-suite level executive.
- Review and confirm any and all transfer of funds requests.
- Be wary of any requests for secrecy and taking quick action.
- Educate and train all employees: when it comes to low-tech social scams like BEC, employees are any company’s Achilles heel.
- Train employees in your company’s cybersecurity best practices.(Ideally, before they discover their family tree includes at least one curiously-benevolent Nigerian prince.)
- Verify all changes in vendor location and payment methods.
- Confirm transfer requests using Two-Factor Authentication, including previously known phone numbers, not those provided in the questionable email.
- Invest in intrusion detection systems for flagging email with suspicious extensions.
- Become familiar with customer habits and notate any significant changes.
Victims of cyberattack can report incidents to law enforcement and the Internet Crime Complaint Center www.ic3.gov.