It should not come as a surprise that company executives (particularly the CEO and President) and other revered high-level employees get to be impersonated often for criminal reasons. How can you say no when it’s the CEO asking? How can you not comply when it’s already the President specifically requesting? Gone are the days of the telltale signs of an email scam: glaring grammatical errors and outlandish stories about lottery winnings or royalty riches. Today, Business Email Compromise (BEC) scammers use this regard of authority to target internal employees who may deal with and handle the finance of the company: the Chief Financial Officers (CFOs).
Business Email Compromise (BEC) campaigns can be considered as one of the most dangerous threats that businesses of any size today are at risk of becoming a victim of. Not only does it not rely on detectable malicious components for its success—instead relying on pure deception and social engineering—it targets entities in the company that are responsible for the financial welfare of said company and those vulnerable to such underhanded tactics (such as executives, HR personnel, personal assistants, etc). It is a threat that can (and has already had) rob businesses blind.
In our continued efforts to study and understand BECs—an effort that also included looking into the BEC incidents of the past couple of years—we discovered some underlying patterns that organizations may find interesting. Some of them include:
- 40% of BECs in the past two years have targeted CFOs more than any other company position;
- 31% of BECs used the position of CEO to set up the scam;
- Some of the most commonly used email subjects for BEC mails include the words ‘Transfer’, ‘Request’, and ‘Urgent’.
Wire frauds: Pick your poison
Apart from the now-infamous assuming of an executive’s identity or “CEO Fraud”, wire frauds can be deployed in a variety of ways—and at a cheap price, too. Malware used in BEC schemes can be purchased online for US$50, while some may even come for free. In other cases, the scam may go further than email spoofing. The cybercriminal can turn to hacking the legitimate email account to ask for wire transfers involving fraudulent accounts on the other end. Through phishing or keylogger, cybercriminals can steal credentials that would allow them to send transfer wire requests. Some may even take the air of legitimacy a notch higher via a quick phone call to seal the deal. Businesses dealing with foreign suppliers are also ripe targets for payment modification—that is, changing where the payment should be directed to.
Employees call the shots at the end of the day
The aforementioned findings and tactics may not be news to some; but in the grand scheme of BECs (and they CAN get grand—with an estimated total of US$2.3 Billion worth of BEC-incurred damages from 2013-2015 alone), they help immensely in letting us know how to better defend against them.
Because of the duplicitous and insidious nature of BECs, simple best practices or security solutions are not enough to effectively defend against them. BEC scams highlight how employees are the primary and final line of defense when it comes down to protecting an organization’s valued assets. Security awareness and solutions that can go beyond the traditional email threats create the barrier between company response and a thousand dollar wire transfer.
Trend Micro is able to provide protection for both enterprises and small to medium sized businesses against BEC-related emails through our Social Engineering Attack Protection technology. Integrated with our InterScan Messaging Security and Hosted Email Security, this technology provides an additional layer of protection through inspection of email headers, social engineering tactics, and forged behaviors and the detection of BEC-related malware. These solutions are provided through the endpoint and email security capabilities of the Trend Micro Smart Protection Suites and Network Defense solutions.
Check out more of our BEC findings in Billion-Dollar Scams: The Numbers Behind Business Email Compromise to have a comprehensive look into the workings of a BEC scam, top targeted countries and company positions, and how you can defend against a potentially significant loss.
Thanks to Marshall Chen, Luby Lien, Grant Chen, and Loseway Lu for information that helped in the creation of this post.