Earlier this month, the FBI Internet Crime Complaint Center (IC3) released its annual Internet Crime Report, which highlights the most common attack trends and the extent of financial losses based on victims’ reports of internet crime. The report highlighted the seriousness of the threat of Business Email Compromise (BEC) attacks, which resulted in losses of more than $1.2 billion in 2018 – More than twice the losses to BEC attacks that were reported in 2017.
2019 is likely to see losses increase further still as the BEC attacks are continuing at pace. Last week, almost coinciding with the release of the report, Scott County Schools in Kentucky announced that it was the victim of a major BEC attack that resulted in a loss of $3.7 million.
The school was notified by a vendor that a recent invoice was outstanding. Further investigation revealed payment had been made, just not to the vendor in question. An email had been received that appeared to be from the vendor, which included forged documents and details of a bank account that was controlled by the scammer.
The FBI was contacted, and attempts are being made to recover the funds, although since the payment was made two weeks previously, it is unclear whether it will be possible to recover the money.
A few days later, news broke of another major BEC scam, this time on a church. St. Ambrose Catholic Parish in Brunswick, Ohio, was a victim of a BEC attack that resulted in the fraudulent transfer of $1.75 million from the Church’s renovation fund. The scam was a virtual carbon copy of the Scott County Schools BEC attack.
The church was contacted by its contractor after not having had invoices paid for two months. That was news to the church, which believed that payments had been made on time. The funds had left the church account but had been directed elsewhere. The investigation into the BEC attack revealed hackers had gained access to the church’s email system and altered the contractor’s bank and wire transfer instructions.
These are just two recent examples of major losses to BEC attacks. Many other million-dollar and multi-million-dollar losses have been reported over the past 12 months.
With potential profits in the upper hundreds of thousands or millions of dollars, it is no surprise that organized criminal gangs are turning to business email compromise scams. The scams are easier to pull off than many other crimes and the potential profits are considerably higher.
Business email compromise scams involve the impersonation of an individual or company. The scams are often conducted via email and usually include a request for a wire transfer. The scams require some research to identify a company to impersonate, but in many cases that is not particularly difficult. It would not be difficult, for example, to identify a contractor that is conducting a major renovation. The company’s banners are likely to be clearly visible around the building where the work is being completed.
Impersonating a company is far from challenging. It is child’s play to spoof an email and make it appear to have come from another domain. The scams are even more convincing if an email account is compromised. Then the email will come from a genuine account.
Gaining access to an email account requires a carefully crafted phishing email that directs the recipient to a phishing webpage that collects login credentials – such as Office 365 credentials. A single phishing email could start the scam in motion.
These BEC attacks show how critical it is for businesses to have an advanced anti-spam solution in place to prevent the initial phishing attack from succeeding and to implement multi-factor authentication for email accounts to make it harder for stolen credentials to be used to gain access to corporate email accounts.