What will you do if an executive in your company gives you instructions to wire money for a business expense? On email?
In a world where cybercriminals devise devious social engineering and computer intrusion schemes to fool employees into wiring money, enterprises run a very serious risk of getting scammed via email. This emerging global threat is known as the business email compromise (BEC) and it has already victimized 8,179 companies in 79 countries between October 2013 and August 2015 alone.
BEC scams generate considerable income for cybercriminals. Multiple warnings were issued by the FBI as to these types of emails in the past year alone. The FBI notes the targets to be companies working with foreign suppliers and/or those that regularly perform wire transfer payments. By February last year, the total number of reported victims had reached 2,126 and the money lost amounted to roughly US$ 215 million. Come August, the victim numbers have ballooned to 8,179, the money lost added to nearly US$ 800 million.
How can you protect your company from becoming a part of this statistic?
Know the Basics
In May 2014, an accountant to a Texas manufacturing firm received an email from a familiar correspondent, his company’s CEO. The email instructed him to wait for a call from a partner company and warned against sharing the email to anyone else for fear of regulation backlash. The company ended up losing US$ 480,000 to wire fraudsters.
This version of the scam is only one out of three known versions of BEC: the “bogus invoice” or “supplier swindle” scheme, the “CEO/ business executive fraud,” and the abuse of hacked accounts to request invoice payments sent to cybercriminals’ bank accounts.
From what we know, BEC scammers often look for company emails available online. It’s not just marketers or business clients who crawl the Web to find that “info,” ”admin,” or “sales” address or guess at a company executive’s address anymore. Billions of publicly available email addresses crawling on the Internet as well as employee information publicly posted on social media and company sites make it easy for BEC scammers to find targets that are easy to spoof.
Familiarize with Past Scams
In 2014, cybercriminals used the Email Spider tool to hunt down email addresses commonly listed on corporate websites. They used specific keywords to find potential targets to whom they sent socially engineered emails disguised as business transactions with critical attachments. Only, the attachments were actually keyloggers made to steal system information, keystrokes, as well as browser-cached information like passwords and usernames.
The screenshot below displays the “bogus invoice” or “supplier swindle” version of BEC scams used by operators of Predator Pain and Limitless:
Figure 1. Sample emails from Predator Pain and Limitless operators
However, not all BEC-related social engineering immediately downloads malware attachments. Looking into the modus operandi of two Nigerian cybercriminals who used the off-the-shelf malware, HawkEye, we noticedced an emerging trend: the long con.
Cybercriminals sent simple inquiries and exchanged a few email messages with their targets. Once the target assumes that they are working on a business transaction, the cybercriminals then sent an email to plant keyloggers on the target’s machine.
Figure 2. Sample email used by operators of HawkEye to first establish legitimacy before sending malware
BEC threats are business opportunities for cybercriminals, after all. Using the long con is simply a means to complete a heinous cyberspying project. With wallet-rich organizations as targets, email addresses readily available online, mining tools like Email Spider, and spyware like HawkEye, cybercriminals are equipped to deliver BEC threats to businesses of all sizes.
Gear Up Against BEC Threats
Decision makers should consider adding a two-step verification process when it comes to moving company finances or resources, such as alternative communication channels or digital signatures. You should also constantly update employees with any additional emerging schemes discovered by security researchers and or government agencies.
All employees (not just IT managers) need to be familiar with the schemes used to deliver BEC threats. Stay secure by following healthy email habits like carefully scrutinizing all emails, double-checking with a point-of-contact via other channels before sending invoice payments, and immediately deleting spammed messages. The FBI also recommended using the "Forward" function instead of "Reply" so you can type the email address of your contact and ensure that the correct address is being used.
IT managers can install email security solutions to block known BEC-related malware before they come in. The InterScan Messaging Security Virtual Appliance with enhanced social engineering attack protection provides protection against socially-engineered emails used in BEC attacks. Also, the Deep Discovery Analyzer found in the Trend Micro Custom Defense family of solutions help detect advanced malware and other threats that come in using email. Enhanced security, along with a strengthened sense of mischief when it comes to dealing with emails, can help stop and detect cybercriminal attacks that use BEC threat.