According to an affidavit from FBI Special Agent Marshall Ward, who spearheaded the investigation, a phishing email was sent to the chief financial officer (CFO) of Unatrac Holding Limited, the UK-based export sales office for the construction equipment company Caterpillar. The email contained a URL leading to a spoofed webpage asking for the login credentials of the CFO’s Microsoft Office 365 account. Once the CFO entered his credentials, the attackers managed to gain access to all the contents of the CFO’s Office 365 account, from emails to digital files.
The CFO’s email account was then used to issue fund transfer requests to Unatrac’s financial department. The scam involved fake invoices featuring the corresponding company logos and templates to make the emails seem more legitimate. The attackers even went so far as to send emails from an external account to the CFO’s account, which were then forwarded to the finance team, and created and changed filter rules to intercept legitimate emails and mark them as read.
Between April 11 and 18, 2018, employees of the Unatrac financial department issued 15 payments totaling nearly US$11 million, with some of the payments going to the same account.
The affidavit mentioned that the CFO’s account was accessed at least 464 times using Nigerian IP addresses. The attackers also downloaded files from the CFO’s account, with one of the downloaded files being sent to a Gmail address. Further investigation by the FBI revealed that the email was used for other fraudulent schemes. Ward managed to obtain records from Google, which allowed the FBI to link the email to another email address. The second email address was connected to a forum account that eventually led the FBI to conclude that Okeke is part of the BEC scam.
BEC scams from unexpected sources
While BEC has traditionally been labeled as CEO fraud because fraudsters often impersonated CEOs, what we see here is a different case of CEO fraud. In our year-end BEC review, we noted that the scheme has been on the rise, being responsible for approximately US$12.5 billion worth of losses as of 2018. However, Okeke’s arrest shows that BEC scams can originate from anyone — even seemingly legitimate executives and businessmen. While this in itself is not a common occurrence when it comes to BEC, the evolution in techniques, such as the use of more convincing social engineering techniques and the exploitation of compromised accounts for credential phishing, are something organizations should be aware of.
As such, organizations should always be vigilant when it comes to financial requests and transactions. In this case, a secondary verification or approval by the CFO via call and/or in person could have prevented the scam from being successful.
In addition, organizations should educate their employees when it comes to email-based attacks since these are often the means for the social engineering tactics of BEC attackers to get inside the organization.
Security technologies that use machine learning to combat BEC
Businesses can also consider adopting security solutions that are infused with innovative technologies such as Writing Style DNA. Used by the Trend Micro™ Cloud App Security™ and ScanMail™ Suite for Microsoft® Exchange™ solutions, Writing Style DNA helps detect email impersonation tactics used in BEC and similar scams. It uses artificial intelligence (AI) to recognize the DNA of a user’s writing style based on past emails. The technology verifies the legitimacy of the email content’s writing style through a machine learning model that contains the legitimate email sender’s writing characteristics. When a potential fraud is identified, it alerts the IT team, the spoofed employee, and the email recipient.