Over the past three years business email compromise scams have been conducted with increasing regularity. However, over the past year the number of business email compromise scams reported to the Federal Bureau of Investigation (FBI) have increased dramatically.
Since January 2015, the FBI reports there has been a 270% increase in BEC attacks. FBI figures suggest the total losses from business email compromise scams since October 2013 has risen to $2.3 billion. Reports of successful BEC scams have been sent to the FBI from over 79 different countries around the world, which have affected more than 17,642 businesses.
Business email compromise scams involve the attacker gaining access to a corporate email account, such as that of the CEO, and requesting a bank transfer be made to their account. An email is sent from the CEO’s account to an accounts department employee, and all too often the transfer is made without question.
Unfortunately for U.S Businesses, BEC attacks are likely to increase as more cybercriminals get in on the act. Security experts have warned that the situation is likely to get a lot worse before it gets better. With the average fraudulent bank transfer between $25,000 and $75,000 and considerable potential to obtain much higher sums, criminals are more than willing to conduct the attacks.
A recent report from Dell SecureWorks indicates some hackers are selling their services on underground marketplaces and are offering access to corporate email accounts for just $250. Since cybercriminals could buy access to corporate email accounts, even relatively unskilled criminals could pull off a BEC scam and potentially have a million dollar+ payday. A number of large corporations have been fooled by these scams and have recorded losses of well over $1 million.
Business Email Compromise Scams Can Be Highly Convincing
BEC scams are convincing because even with security training, staff members tend to assume attacks will come from outside their organization. Employees are suspicious about emails that request the disclosure of login credentials, and a request to make a bank transfer that has not come from within an organization is likely to be immediately flagged as a scam.
However, when the CEO sends an email to a member of the accounts department requesting a bank transfer, many employees would not think to question the request. The person arranging the transfer would be unlikely to call the CEO to confirm payment. The transfer may go unnoticed for a number of days, by which time the funds would have been withdrawn from the attackers account and would be impossible to recover.
To conduct this type of attack the attacker would need to gain access to the email account of the CEO or an executive in the company who usually sends bank transfer requests to the accounts department. Once access has been gained, the attacker can read emails and learn the terminology typically used by that member of staff.
An email can then be written in the same language used by that individual. This ensures that the email does not rouse suspicions. Attackers research the transfer requests that are typically made and set the dollar amounts accordingly.
Since the account transfers are made to bank accounts outside the United States, the companies most frequently targeted are those that often make International payments. To the targeted accounts department employee, the request would seem perfectly normal.
How to Reduce the Risk of Employees Falling for BEC Scams
There are a number of ways that organizations can reduce the risk of employees falling for business email compromise scams. SpamTitan could not block a request sent from a compromised email account, but oftentimes attackers spoof email addresses. They purchase a domain that looks very similar to the targeted company, often transposing two letters. Oftentimes a domain is purchased replacing a letter “i” or an “L” with a “1”. If the email address of the sender is not carefully checked, this could well go unnoticed. SpamTitan can be configured to automatically block these spoofed email addresses to prevent these emails from being delivered.
To prevent employees from falling for business email compromise scams sent from compromised email accounts, policies and procedures should be introduced that require all account transfers to be verified by two individuals. Large transfers should also, where possible, be confirmed by some means other than email. A quick call to sender of the email for instance.
Organizations that choose to do nothing could regret failing to take precautions. Take the Austrian Airline parts company FACC for example. It reportedly lost approximately $55 million to such a scam.