Brisbane Council Loses 450K AUD to BEC Scam

The local council of the Australian city of Brisbane was targeted by scammers through fake invoices over the past month. According to reports, the scammers phoned and emailed the council posing as one of its suppliers, and were able to steal A$450,000. Councilor Graham Quirk said a total of nine payments have been made to scammers since July. He has then commissioned Deloitte to review how the scam took place; however, it would take about a month to carry out the investigation.    

It appears that the Brisbane Council was hit by a Business Email Compromise (BEC) scam, a scheme that targets businesses working with foreign suppliers and businesses that regularly perform wire transfer payments. Similar to what happened to the Brisbane Council, these schemes are usually done by impersonating company officers and employees, and use these accounts to request fund transfers from those who have access to the organization's finances.

It doesn’t always take advanced malware to disrupt a business operation. In 2015, Trend Micro closely monitored the operations of two Nigerian cybercriminals who attacked businesses from developing countries by stealing information and intercepting business transactions. The operation was done through a simple backdoor called HawkEye. Similar to the Brisbane Council scam, the cybercriminals behind the HawkEye campaign targeted publicly available addresses and posed as vendors or potential customers, and emailed their targets.

According to the FBI, BEC schemes have caused at least $3.1 billion in total losses to approximately 22,000 enterprises around the world over the past two years. In March 2016, a wave of businesses and corporations has fallen for the BEC scam. Companies like Seagate, Snapchat, and Sprouts Farmer’s Market were among the businesses that were victimized by email scams that used the same modus. By the end of the same month, Pivotal Software, a San Francisco-based software and services company, was breached via a phishing scheme that leaked a number of employee tax information. Not long after this string of incidents, similar schemes were used to aim for personal information from the education sector, affecting 3,000 employees of Virginia-based Tidewater Community College.

[READ: Billion-Dollar Scams: The Numbers behind Business Email Compromise]

What do scammers do with the stolen information? Scams that involve the theft of sensitive information via phishing emails or calls have proven to be a valuable underground commodity as the stolen data could be sold in underground markets and also be used to stage future attacks. As seen in previous incidents, BEC schemes have proven to be effective way of tricking unknowing users into sending money and data. The Trend Micro’s Midyear Security Roundup Report highlights the geographic spread in BEC scams and its prevalence in over 90 countries.

Defending Against BEC Scams

Businesses are advised to stay vigilant and educate employees on how to prevent being victimized by BEC scams and other similar attacks. Cybercriminals do not care about a company’s size—the more victims, the better. Additionally, these schemes do not require advanced technical skills, instead relying on tools and services widely available in the cybercriminal underground. In fact, it only takes a single entry point to steal from a business. As such, here are some tips on how to stay protected:

• Scrutinize all emails. Be wary of irregular emails sent by C-suite executives, as they are used to trick employees into acting with urgency. Review and verify emails that request transfer of funds.
• Educate and train employees. While employees are a company’s biggest asset, they’re also usually its weakest link when it comes to security.
• Verify changes in vendor payment information by using a secondary sign-off by company personnel.
• Confirm fund transfer requests by using phone verification as part of two-factor authentication.
• If you suspect that you have been targeted by a BEC scam, report the incident immediately to law enforcement or file a complaint with the IC3.

For more on protecting your organization from BEC schemes, read Battling Business Email Compromise Fraud: How Do You Start?