Business Email Compromise, A Cybersecurity Crime Challenge for Small and Medium Businesses

Business Email Compromise (BEC) has become a very series cybercrime in the past several years where billions of dollars were lost by various businesses.  In additional to direct financial loss to the hackers, a company’s overall loss may be much greater. For example, a company’s reputation may suffer from a data breach and they may lose customers as result of a BEC event.  Also, instead of focusing on their core business, the aftermath of a BEC attack would be expensive and a distraction between business executives, law enforcement, and other victims.

A typical BEC attack would be launched by email.  The emails are either spoofed or compromised by the attackers.  For example, an attacker may pretend to be a vendor by requesting invoice or transaction payments such as real estate services.  We also often see the fake executive requesting his/her finance department to execute a wire transfer to a third party. With our recent COVID-19 challenges and more working-from-home employees, we will see more companies and organizations become less centralized and less in-person interaction between staff. This will provide some additional opportunities for the BEC attackers to trick more people.

On April 6, 2020, Federal Bureau of Investigation (FBI) issued a warning anticipating a rise in BEC schemes related to the COVID-19 Pandemic. “Fraudsters will take advantage of any opportunity to steal your money, personal information, or both.  Right now, they are using the uncertainty surrounding the COVID-19 pandemic to further their efforts.”   According to FBI, there has been an increase in BEC frauds targeting municipalities purchasing personal protective equipment in the fight against COVID-19. Also, most of the recent BEC attacks were targeted at the financial institutions or banks.

Cybersecurity vendors are helping to develop various tools to scan and filter malicious and phishing (spoofed) emails by using all the latest technologies such as big data and machine learning. For example, the threat response teams from Trend Micro are using cloud email reputation services and machine learning to capture the company executive’s writing style to help prevent BEC as part of its overall business cybersecurity software suite.

Although cybersecurity tools are getting better and lots of potential fake or spoofed emails can be filtered, we can’t ignore the human and social engineering approaches which attackers will leverage. In BEC, we often see fake emails that will appear to be sent by a close friend or business associate. For example, a company CFO will get a fake email from his/her CEO to request a wire money transfer. This is what we refer to as “spear phishing”.

To carry out BEC attacks, hackers often utilize an organized team with various roles and responsibilities that include:

1. Assessing to identify potential targets by using various searches in social media and on Internet sites
2. Creating a target list and send out phishing or spear phishing emails
3. Responding if the victim responds, engaging directly with some small exchanges to secure the fraud
4. Requesting financial transition by sending the money to a third party (“mules”)
5. Closing and repeating the same scam if possible

Don’t underestimate their capabilities as they are professionals.  Before hacker teams launch their fake emails, the first step is for them to identify and study a potential prospect. They often use popular social media sites such as LinkedIn and Facebook and a people search site such as PIPL. As for identifying business owners or executives, attackers can easily find their personal information just through Google searches or on the company website.

Here are some preventive measures which we recommend:

1. Avoid posting any personal identifiable information (PII) on Internet. For example, your birthday, Social Security or driver’s license number.
2. Lessen the posting of any internal company or communities’ social activities to the public by restricting it to company internal or special interest groups such as your friends on Facebook only
3. If you are not technically savvy, always leverage your IT person to check email headers if in doubt.
4. Have a strong company policy and process. For example, companies may insert certain processes to avoid making payment to a non-authorized third party. Please remember, the attackers will always leverage your weakest link. If they can hack into your network by stealing an email account password, they won’t need to run a phishing launch. Instead, they will send out an email from the employee’s original email address.
5. Use cybersecurity tools. It is very important that your organization install good, reputable cybersecurity protection at all levels. For example, at end-point, email, cloud, and at the network.  Your potential exposure and liability will far exceed the investment of the tools which your IT staff setup to prevent BEC and other compromises.

For more free cybersecurity tips for start ups and small businesses, visit our Internet Safety for Small Businesses page.