$6M Lost in Another BEC Scam: Who Is the Weakest Link?

bec-scam-fundSS&C Technology, a Wall Street technology firm that provides investment management software and services was sued by Tillage Commodities Fund, a US investment firm, after losing $6M to a Business Email Compromise (BEC) scam. According to reports, the lawsuit that was filed on September 16 states that the former failed to “exercise even a modicum of care and responsibility in connection with known and obvious cybersecurity threats”—which in turn forced Tillage to temporarily take its operations offline due to the massive loss.

The details of the scam were outlined in a document posted online by the law firm representing Tillage. According to the document, an SS&C employee did not follow established procedure after receiving an email that asked him to wire Tillage funds to the scammers' account. Additionally, Tillage says that SS&C did not follow their own policies—a mistake that enabled the theft and a move that ended up assisting the hackers by carelessly fixing already flawed wire transactions.

Based on the lawsuit, three of the six fraudulent transfer requests referred to wiring money to investors, supposedly implying fund redemption. However, the requests were processed without the required redemption letters. Additionally, the intended recipients were not even Tillage fund investors, and the transfers were made to foreign entities that Tillage had no existing relationship with—details that could have been easily verified, but were somehow missed. Other policy issues, including submission of requirements for the transfer requests, were not followed.

[READ: Security 101: Business Email Compromise Schemes]

The complaint also alleges the Tillage fund has never wired money outside the US and that SS&C has processed multiple legitimate wire requests for the Tillage fund since 2014, which implies a customary understanding of how daily business transactions work.

“The first fraudulent email of March 3, 2016 had directed that funds be wired directly to a company called ‘Hoaran Technologies’ and its account at Hang Seng Bank in Hong Kong”, the lawsuit states. The employee worked with other SS&C employees to amend and further assist the transaction, adding HSBC Hong Kong as the correspondent bank, moving Hang Seng Bank to be named the beneficiary bank. When those amendments were rejected, SS&C employees communicated this failure to the scammers, who then directed the funds to ‘Away Technologies’ via an account at HSBC Bank in Hong Kong.

The Human Factor: Are Employees the Weakest Links?

The Tillage fund appears to have been victimized by a Business Email Compromise (BEC) scheme, a scam that targets businesses that regularly perform wire transfer payments, as well as businesses working with foreign suppliers. BEC scams have caused at least $3.1 billion in total losses to approximately 22,000 enterprises around the world over the past two years, according to the FBI—with numbers rising continuously. In March 2016, a wave of businesses and corporations fell for similar schemes, including Seagate, Snapchat, and Sprouts Farmer’s Market. Not long after this spate of attacks, similar scams were used to steal personal information and money from the education and government sector, impacting both tremendously.  

A closer look at the Tillage fund incident, however, shows that not only were they a victim of a BEC scam, but also a victim of the negligence of its associate’s employees—a matter that could have been prevented. Consequently, the human error on SS&C’s part amounted to a massive financial loss for Tillage fund. Human negligence—either by a lack of knowledge or carelessness is why BEC scams and other social engineering tricks work. It simply makes it easier for them to infiltrate a system without having to use more sophisticated tools and methods.

Past and previous incidents have indicated that while employees are a company’s biggest asset, they can also be its weakest link when it comes to security. While security should be largely the responsibility of the IT department, employees should still be the first line of defense. Employees need to be educated and duly trained for them to stay vigilant and defensive against potential attacks. Here are some tips for avoiding BEC scams:

  • Carefully scrutinize all emails. Be wary of irregular emails sent from C-suite executives, as they are used to trick employees into acting with urgency. Carefully review and verify fund transfer requests.
  • Educate and train employees. Commit to training employees according to the company’s best practices. Remind them that adhering to company policies is one thing, but developing good security habits is another.
  • Verify any changes in vendor payment location by using a secondary sign-off by company personnel.
  • Stay updated on customers’ habits including the details, and reasons behind payment.
  • Confirm requests for transfer of funds by using phone verification as part of a two-factor authentication process. Use known familiar numbers, not the details provided in the email requests.
  • If there are indications of a compromise, report the incident immediately to law enforcement or file a complaint with the IC3.
Apart from a stronger security mindset, the Trend Micro InterScan Messaging Security Virtual Appliance with enhanced social engineering attack protection features can defend against socially-engineered emails used in BEC attacks. BEC-related emails are blocked by the endpoint and email security capabilities of the Trend Micro Smart Protection Suites and Network Defense solutions.

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.