A new business email compromise (BEC) scheme, where the attacker tricks the recipients into rerouting paychecks by direct deposit, has emerged. According to CNBC’s report, this BEC scam has been growing; for instance, Kansas City-based KVC Health Systems, a nonprofit agency for child welfare, receives such emails at an average of two or three times in a month.
In the scheme, the attacker poses as a CEO, CFO, or payroll director and sends an email to human resources personnel, asking the latter to change an employee’s bank account and routing information so that paychecks are deposited directly to a fraudulent account.
This new BEC scheme, along with other scams that don’t require high-skill technical methods, heavily relies on social engineering to succeed. Hacking into a legitimate email account using keyloggers or remote access tools isn’t a prerequisite.
The attackers behind this new BEC scheme produced the socially engineered emails using free services like Gmail and crafted them in such a way that the fake email appears legitimate. As observed in other similar schemes, the attackers can play into an employee’s desire to be responsive to the high-ranking company members that were being impersonated.
The emails that attackers sent to victims in this particular scheme were well-crafted; typically brief, polite, and lightly urgent. In one of the cited email samples, the recipient was asked to change direct deposit information before the next paycheck. The attacker can also manipulate the recipients to prevent them from calling for verification. In one of the email samples, the attacker did this by writing “I am going into a meeting now.”
Email scams affecting companies and their employees
The successful execution of email scams such BEC burdens both the company and the employee.
The company should be responsible for reimbursing the stolen money due to fraud. TSB Bank plc, a U.K.-based retail and commercial bank, recently announced that that it will refund customers who were tricked into authorizing payments to fraudsters. This announcement comes on the heels of news about the bank losing millions last year due to several problems that include fraud.
Meanwhile, email scams can inconvenience an employee due to a delayed paycheck, and in extreme cases, it can be a trigger for an employee’s dismissal.
Scams in the form of phishing, spear phishing, and BEC emails are still on the rise. Trend Micro has predicted that apart from high-ranking company members, attackers, such as the ones behind BEC scams, will target employees further down the company hierarchy. Usual cybersecurity best practices and solutions may not be enough to combat this scheme, but there are security technologies that can help users and organizations detect them.