More than 30,700 organizations were targeted in the first quarter of 2020 with Business Email Compromise attacks. 

Business Email Compromise (BEC) 

Maybe you’ve heard the term CEO Fraud. This is a scam where cybercriminals pretend to be a CEO or other senior executive from your organization. The criminals send an email to staff members to try and trick them into doing something they should not do. 

These types of attacks are extremely effective because cybercriminals do their research. They search your organization’s website for information, such as where it is located, who your executives are, and other organizations you work with.

The cybercriminals then learn everything they can about your coworkers on sites like LinkedIn, Facebook, or Twitter. Once they know your organization’s structure, they begin to research and target specific employees. If the cybercriminals want money, they may target staff in the accounts payable department. If they are looking for tax information, they may target human resources. If they want access to database servers, they could target someone in IT. 

The FBI calls this type of scam "Business Email Compromise" and defines BEC as “a sophisticated scam that targets both businesses and individuals who perform legitimate transfer-of-funds requests. The scam is carried out by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.” 

AARP reported that BEC attacks targeted more than 30,700 organizations in the first quarter of 2020, according to security company Symantec.

CEO, Byron Martin discussing Business Email Compromise and Wire Fraud

Attack Methods for Business Email Compromise (BEC) or CEO Fraud

Once they determine what they want and whom they will target, they begin crafting their Business Email Compromise attack. This is how the bad guys do it: 

1. Phishing

Phishing emails are often sent to a large number of users at once in an attempt to “fish” sensitive information by posing as reputable sources. Their goal is to trick users into doing something such as opening an infected attachment or visiting a malicious website.

These posers use legitimate-looking logos from banks, credit card providers, delivery firms, law enforcement, and the IRS to name a few of the common ones.

2. Spear Phishing

Spear phishing is similar to phishing; however, instead of sending a generic email to millions of people, they send a custom email targeting a very small, select number of people. These spear-phishing emails are extremely realistic looking and hard to detect. They often appear to come from someone you know or work with, such as a fellow employee or perhaps even your boss.

The emails may use the same jargon your coworkers use; they may use your organization’s logo or even the official signature of an executive. These emails often create a tremendous sense of urgency, demanding you take immediate action and not tell anyone. The cyber criminal’s goal is to rush you into making a mistake.

3. Whaling

The targets are the top-level executives and administrators, typically to intercept a wire transfer or steal confidential data. Personalization and detailed knowledge of the executive and the business are the trademarks of this cyber fraud.

4. Social Engineering

Social Engineering is the use of psychological manipulation to trick people into revealing confidential information or providing access to finances. Again, using social media sites such as LinkedIn, Facebook and other venues to provide details about organizational personnel. This can include their contact information, titles, connections, friends, and more.

Image courtesy of KnowBe4 

Attack Scenarios for Business Email Compromise

Wire Transfer:

Most often, a cybercriminal is after money. Typically, hackers target businesses that process a lot of wire transfers, with the goal of using social engineering to send money to the attacker or using malware to gain access to computers used by financial decision-makers to then wire themselves money.

Or the cybercriminal researches and learns who works in accounts payable. They create a lookalike domain impersonating the corporation, and craft and send an email pretending to be the targets’ boss; the email tells them there is an emergency and money must be transferred right away to a certain account.

Another scenario involves taking over an employee’s email account, usually in the billing/finance department, and sending invoices out to company suppliers, redirecting money to a bogus account.

Tax Fraud and Identity Theft:

Cyber criminals want to steal information about your employees so they can impersonate records for tax fraud and other forms of identity theft. They research your organization and determine who handles employee information, usually someone in human resources. From there, the cybercriminals send fake emails pretending to be a senior executive or someone from legal, demanding certain documents be provided immediately.

According to the June 10, 2020 AARP report:

“The bogus executive emails someone in the payroll or human resources office seeking a list of employees and copies of their W-2 forms. That potentially puts a wealth of workers’ personal and financial information — Social Security numbers, home addresses, wages, and tax withholding — into scammers’ hands, setting the stage for large-scale tax ID fraud and other forms of identity theft.”

We’ve seen these scenarios increase dramatically with the recent COVID-19 pandemic. The FBI “has seen a spike in fraudulent unemployment insurance claims complaints related to the ongoing COVID-19 pandemic involving the use of stolen personally identifiable information (PII).”

So what can you do to protect yourself and your organization?

If you receive a message from your boss or a colleague and it does not sound or feel right, it may be an attack. Clues can include a sense of urgency, a signature that does not seem right, or a spoofed email domain.

Additionally:

• Enable multi-factor authentication (MFA) for all email accounts.

• Verify all payment changes and transactions in person or through a known telephone number.

• Educate employees about Business Email Compromise scams, including preventative strategies such as how to identify phishing emails and how to respond to suspected compromises.

Teknologize is a SOC 2 certified, Professional Technology Services company with clients throughout the Pacific Northwest. We have offices located in:

• Tri-Cities, Washington 509.396.6640
• Yakima, Washington 509.396.6640
• Bend, Oregon 541.848.6072

Questions about your IT or Cybersecurity? Give us a call today!