July 1, 2015 By Michelle Alvarez 3 min read

Care for Some BEC in Your Security Acronym Soup du Jour?

Earlier this year, the Internet Crime Complaint Center (IC3) and the FBI issued a public service announcement warning of a “sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments.” Formerly known as the man-in-the-email (MitE) scam, the business email compromise (BEC) is a global wire transfer scam with a goal of compromising legitimate business email accounts to perform unauthorized wire transfers. (I prefer the acronym MitE. Many species of mite are parasitic, which means they benefit at the expense of their host. See the similarities? But I digress.)

$215 Million in Losses and Counting

The IC3 reported that, from Oct. 1, 2013 to Dec. 1, 2014, BEC scams claimed over 2,000 individual victims and generated losses of nearly $215 million. Recently, the Financial Services Information Sharing and Analysis Center (FS-ISAC) and federal law enforcement agencies released a fraud alert reporting that they continue to observe an increase in BEC scams. This means that the number of victims and the amount of monetary losses have surely been climbing since the data was last reported.

Here’s what you need to know about this particular wire transfer scam:

  • It’s a global scam, with 45 countries and every U.S. state targeted.
  • Wired funds have reportedly been sent primarily to Asian banks located in China and Hong Kong.
  • Email accounts are generally compromised through social engineering or malware.
  • Compromise of the CEO’s or CFO’s email account is most common, although incidents where a vendor’s or supplier’s email has been compromised have also been reported.
  • Individuals responsible for handling wire transfers are then targeted using the compromised email account.
  • Spoofed emails may coincide with an executive’s business travel dates, making it more difficult to determine that the request is fraudulent.
  • Fraudulent email requests for a wire transfer appear legitimate because they are well-written, specific to the targeted business and often request a business-specific amount.

Common Themes: (Really) Sophisticated Social Engineering and Wire Transfers

According to Karl Marx, we are “gregarious creatures” and need social cooperation and association to meet our needs. Perhaps, though, we can learn to socially cooperate just a little less with attackers. Easier said than done, of course. With each social engineering tactic seemingly more sophisticated than the last, someone needs to come up with a word that surpasses the intensity of “sophisticated.” (If I see the phrase “sophisticated attack” one more time…)

Take the Dyre Wolf campaign as an example of sophistication at its finest. Spear phishing, two-stage malware execution and advanced social engineering resulted in wire transfers totaling upwards of $1.5 million. The icing on the cake of this cutting-edge attack? A distributed denial-of-service (DDoS) attack after the theft to distract investigation of the wire transfer — brilliant! All the more reason organizations need to ensure they have a defense-in-depth strategy in place.

Protect Against a Wire Transfer Scam

To handle BEC scams, the FS-ISAC fraud alert provides a great checklist of what to do when receiving or handling wire transfer requests by email. The list indicates that “effective payment risk mitigation processes” are key against the risk from BEC scams. Much of the checklist calls for additional verification that the wire transfer is authentic. This might include calling to verbally confirm the request (not via a number provided in the received email) or requiring dual approval if the request meets certain criteria, such as a dollar amount exceeding a specific threshold. The IC3 PSA also provides good recommendations around protection against fraudulent wire transfers, including being wary of sudden changes in business practices, like the use of a personal email address versus a business email.

Practical Counter-BEC Advice

BEC scams are crafted to be sophisticated. They are not a broad-stroke attack, but rather a very minutely planned crime. Some recommendations from our experts for avoiding this type of wire transfer scam include:

  • Ask your IT department to configure email to reveal the full address of the sender and recipients in the thread. In many cases, this will help you spot suspicious addresses or unusual use of personal accounts by one of your executives.
  • If your company never handles transfers based on email, immediately contact the sender (your CEO or CFO) and verify the details with them in person or over the phone.
  • If the executive in question is away traveling, and especially if the transfer is directed to an account you’ve never done business with before, do not execute the transfer until you get a clear response from the supposed issuer via phone.
  • Scammers will want you to keep this under wraps. It’s part of their tactics. Report the matter to the CEO and the CFO or the accounting department, all of whom will have to know about this either way.
  • If you suspect you have been scammed by BEC emails, report the matter to law enforcement immediately. You may reach out to the FBI or the Secret Service, or file a complaint with the IC3.

More from Fraud Protection

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today