New Business Email Compromise Scheme Reroutes Paycheck by Direct Deposit

A new business email compromise (BEC) scheme, where the attacker tricks the recipients into rerouting paychecks by direct deposit, has emerged. According to CNBC’s report, this BEC scam has been growing; for instance, Kansas City-based KVC Health Systems, a nonprofit agency for child welfare, receives such emails at an average of two or three times in a month.

In the scheme, the attacker poses as a CEO, CFO, or payroll director and sends an email to human resources personnel, asking the latter to change an employee’s bank account and routing information so that paychecks are deposited directly to a fraudulent account.

[Read: Year-End Review: Business Email Compromise in 2018]

Crafty social engineering at play

This new BEC scheme, along with other scams that don’t require high-skill technical methods, heavily relies on social engineering to succeed. Hacking into a legitimate email account using keyloggers or remote access tools isn’t a prerequisite.

The attackers behind this new BEC scheme produced the socially engineered emails using free services like Gmail and crafted them in such a way that the fake email appears legitimate. As observed in other similar schemes, the attackers can play into an employee’s desire to be responsive to the high-ranking company members that were being impersonated.

The emails that attackers sent to victims in this particular scheme were well-crafted; typically brief, polite, and lightly urgent. In one of the cited email samples, the recipient was asked to change direct deposit information before the next paycheck. The attacker can also manipulate the recipients to prevent them from calling for verification. In one of the email samples, the attacker did this by writing “I am going into a meeting now.”

[Read: Smarter Phishing Techniques Observed as Cybersecurity Tools Become Advanced]

Email scams affecting companies and their employees

The successful execution of email scams such BEC  burdens both the company and the employee.

The company should be responsible for reimbursing the stolen money due to fraud. TSB Bank plc, a U.K.-based retail and commercial bank, recently announced that that it will refund customers who were tricked into authorizing payments to fraudsters. This announcement comes on the heels of news about the bank losing millions last year due to several problems that include fraud.

Meanwhile, email scams can inconvenience an employee due to a delayed paycheck, and in extreme cases, it can be a trigger for an employee’s dismissal.  

[Read: Trend Micro Cloud App Security Report 2018: Advanced Defenses for Advanced Email Threats]

Avoid falling victim to email scams

Scams in the form of phishing, spear phishing, and BEC emails are still on the rise. Trend Micro has predicted that apart from high-ranking company members, attackers, such as the ones behind BEC scams, will target employees further down the company hierarchy. Usual cybersecurity best practices and solutions may not be enough to combat this scheme, but there are security technologies that can help users and organizations detect them.

Writing Style DNA, which is used by Trend Micro Cloud App Security™ (CAS) and ScanMail™ Suite for Microsoft® Exchange™ (SMEX), can help detect email impersonation tactics used in BEC and similar scams. It uses artificial intelligence (AI) to recognize the DNA of a user’s writing style based on past emails and then compares it to suspected forgeries. The technology verifies the legitimacy of the email content’s writing style through a machine learning model (ML) that contains the legitimate email sender’s writing characteristics.

Apart from advanced email security solutions, cybersecurity awareness training and enforcing best practices against email threats can also help stop scammers in their tracks.
HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.