Care for Some BEC in Your Security Acronym Soup du Jour?
Earlier this year, the Internet Crime Complaint Center (IC3) and the FBI issued a public service announcement warning of a “sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments.” Formerly known as the man-in-the-email (MitE) scam, the business email compromise (BEC) is a global wire transfer scam with a goal of compromising legitimate business email accounts to perform unauthorized wire transfers. (I prefer the acronym MitE. Many species of mite are parasitic, which means they benefit at the expense of their host. See the similarities? But I digress.)
$215 Million in Losses and Counting
The IC3 reported that, from Oct. 1, 2013 to Dec. 1, 2014, BEC scams claimed over 2,000 individual victims and generated losses of nearly $215 million. Recently, the Financial Services Information Sharing and Analysis Center (FS-ISAC) and federal law enforcement agencies released a fraud alert reporting that they continue to observe an increase in BEC scams. This means that the number of victims and the amount of monetary losses have surely been climbing since the data was last reported.
Here’s what you need to know about this particular wire transfer scam:
- It’s a global scam, with 45 countries and every U.S. state targeted.
- Wired funds have reportedly been sent primarily to Asian banks located in China and Hong Kong.
- Email accounts are generally compromised through social engineering or malware.
- Compromise of the CEO’s or CFO’s email account is most common, although incidents where a vendor’s or supplier’s email has been compromised have also been reported.
- Individuals responsible for handling wire transfers are then targeted using the compromised email account.
- Spoofed emails may coincide with an executive’s business travel dates, making it more difficult to determine that the request is fraudulent.
- Fraudulent email requests for a wire transfer appear legitimate because they are well-written, specific to the targeted business and often request a business-specific amount.
Common Themes: (Really) Sophisticated Social Engineering and Wire Transfers
According to Karl Marx, we are “gregarious creatures” and need social cooperation and association to meet our needs. Perhaps, though, we can learn to socially cooperate just a little less with attackers. Easier said than done, of course. With each social engineering tactic seemingly more sophisticated than the last, someone needs to come up with a word that surpasses the intensity of “sophisticated.” (If I see the phrase “sophisticated attack” one more time…)
Take the Dyre Wolf campaign as an example of sophistication at its finest. Spear phishing, two-stage malware execution and advanced social engineering resulted in wire transfers totaling upwards of $1.5 million. The icing on the cake of this cutting-edge attack? A distributed denial-of-service (DDoS) attack after the theft to distract investigation of the wire transfer — brilliant! All the more reason organizations need to ensure they have a defense-in-depth strategy in place.
Protect Against a Wire Transfer Scam
To handle BEC scams, the FS-ISAC fraud alert provides a great checklist of what to do when receiving or handling wire transfer requests by email. The list indicates that “effective payment risk mitigation processes” are key against the risk from BEC scams. Much of the checklist calls for additional verification that the wire transfer is authentic. This might include calling to verbally confirm the request (not via a number provided in the received email) or requiring dual approval if the request meets certain criteria, such as a dollar amount exceeding a specific threshold. The IC3 PSA also provides good recommendations around protection against fraudulent wire transfers, including being wary of sudden changes in business practices, like the use of a personal email address versus a business email.
Practical Counter-BEC Advice
BEC scams are crafted to be sophisticated. They are not a broad-stroke attack, but rather a very minutely planned crime. Some recommendations from our experts for avoiding this type of wire transfer scam include:
- Ask your IT department to configure email to reveal the full address of the sender and recipients in the thread. In many cases, this will help you spot suspicious addresses or unusual use of personal accounts by one of your executives.
- If your company never handles transfers based on email, immediately contact the sender (your CEO or CFO) and verify the details with them in person or over the phone.
- If the executive in question is away traveling, and especially if the transfer is directed to an account you’ve never done business with before, do not execute the transfer until you get a clear response from the supposed issuer via phone.
- Scammers will want you to keep this under wraps. It’s part of their tactics. Report the matter to the CEO and the CFO or the accounting department, all of whom will have to know about this either way.
- If you suspect you have been scammed by BEC emails, report the matter to law enforcement immediately. You may reach out to the FBI or the Secret Service, or file a complaint with the IC3.
Manager, X-Force Strategic Threat Analysis, IBM