The rise of BEC scams are becoming a major concern for business and governments organizations. Business Email Compromise (BEC), CEO fraud or Man-in-the Middle Attack (MiT) scam is a type of email cyber-crime in which attackers target a business to defraud the company. The goal is to deceive employees into transferring funds to scammers.
To this end, the scammer will pretend to be the CEO, founder, or an important company’s employee. In this type of attack, the criminal’s primary aim is to trick and persuade employees to take a specific action, such as making a wire transfer, providing funds to pay for an allegedly new project or providing confidential information.
The perceived difference in the hierarchy within the organization can make “lower-ranking employees” quite intimidated to do what they think their “CEO” wants them to do. The message could come in this form:
“Hello Dayo,
Could you take care of something for me ASAP? I’m stuck in an important meeting in the HQ and I need someone to take care of an urgent pending invoice from one of our shipping companies. I’m sending over the details. Please handle it today before the bank closes, otherwise the product’s release will be delayed. I can’t call, so an email confirmation will do.”
Kind regards,
Frank
Perhaps an employee with a security mind-set can comprehend the authencity of this email a little smartly. The email comes with two vital items, “I’m in an important meeting in the HQ, and I can’t call.’
However, for the employee to honour the said boss request, he/she initiate the transaction and will later find out the fund was transferred to a cybercriminal.
According to a cyber-security firm Barracuda, 77% of these attacks target employees outside of financial or executive roles.
FBI account to losses due to BEC attacks totalled almost $1.8 billion in 2019. BEC represent almost half of all the financial damage caused by cyber-attacks in 2019. The total loss is estimated at $3.5 billion.
To carry out these kinds of attacks, hackers compromise email accounts or create new accounts almost identical to legitimate ones. Then attackers impersonate the owners of the email accounts and send messages to the victims.
Criminals often impersonate high-level directors or executives, such as CEO and CFO, and when the bond of trust is established through the exchange of emails, the scammer asks the target to share confidential information, transfer money to a fraudulent bank account, or click on a malicious file that contains ransom ware or other kinds of malicious code for backdoor access.
Read also: How to protect yourself from PoS scam
Public service announcement published by the FBI, April 2020, confirmed that Cybercriminals conduct Business Email Compromise through exploitation of cloud-based email services, costing US Businesses more than $2 Billion.
These attacks is mostly carried out by transnational criminal organizations that employ lawyers, linguist, hackers and social engineers, and often take a variety of forms. In most cases, scammers will focus their efforts on the employees with access to company finances, and attempt to trick them into performing wire transfers to bank accounts thought to be trusted, when in reality the money ends up in accounts owned by criminals.
Remote staff working from home are usually the most vulnerable as they are outside the direct regulation of IT security teams and often struggle to deal with cyber threats and appropriately handle company’s information.
The report from Agari’s Cyber Intelligence Division (ACID), found that these attacks cost businesses a staggering $26 billion every year, and this is accelerating yearly. Let me also give about five case studies of this kind of attacks to give you a dynamic insight. In 2019 and 2020 the government of Puerto Rico fell victim to BEC attacks that attempted to steal more than $4 million.
Hackers compromised email accounts and sent messages to government officials in different sectors requesting changes to payment accounts. Again In 2019, the Indian headquarters of Maire Tecnimont, an Italian energy and engineering company, received a malicious email from an account that appeared to be from the organization’s CEO. The email requested a wire transfer for an acquisition in China.
The loss of the BEC scam is estimated at $18 million. Also, in 2019, Japan’s Toyota Boshoku Corporation, a supplier of auto parts, was victim of $37 million BEC scam. Hackers tricked and persuaded an executive in a company’s financial department to make a wire transfer. The most recent BEC scam carried out by Ramon Abbas popularly known as Hushpuppy can equally be described as BEC Scam.
He was arrested by the Federal bureau of Intelligent (FBI) for conspiracy to launder money obtained from business email compromise (BEC) frauds and other scams, including schemes that defrauded a US law firm of about $40 million, illegally transferred $14.7 million from a foreign financial institution, and targeted to steal $124 million from an English football club until his arrest and his extradition to the United States.
The entire above example discussed above ultimately describe the artifices of a BEC scam. The center of gravity of these attacks is email address cloning, and increasing reliance on email and online messaging communication without verification.
Ways to protect against Business Email Compromise Scam:
There are many ways to defend against BEC scam but in this context, I am going to be offering few techniques that can be employed. Intrusion Detection Rules, this will flag emails with extensions that are similar to company email.
For instance, legitimate email of [email protected] would flag fraudulent email of [email protected]. Setting email rules will as well flag communications where the “reply” email address is different “from” email address shown. Color coding is also another virtual correspondence so that email from employee/internal accounts is one color and emails from non-employee/external accounts are another.
Payment verification also ensures security by requiring additional two factor authentication. Funds transfer should also come with a confirmation request with something like phone call verification as a part of a two factor authentication scheme. Also, confirmations may require that company directory numbers are used, as opposed to numbers provided in an email. Carefully scrutinize all emails requests for transfer of funds to determine if the requests are of the ordinary.
Since human error plays such a vast role in cyber breaches, addressing it is key to reducing business chances of being successfully targeted. It also allows you to protect your business from a far wider range of threats than any single technical solution could – and can potentially empower your workforce to actively look out for and report new threats they may encounter.
Mitigation of human error must be key to cyber business security as organization’s security is essential, and a compromised email system can seriously damage legitimate business interests. Safeguarding a company’s finances and privacy with these little tips will not only empower employees but also ensure business longevity.
Ibenu, a researcher and assistant professor of Computer Science; Security at Escae-Benin University of Technology, writes from Lagos, Nigeria.
