Fraud is expensive, and it does not have to be sophisticated to succeed. Business-email-compromises are on the rise as companies continue to fall victim to this form of social engineering.
Japanese media conglomerate Nikkei is the latest BEC victim. An employee of Nikkei America, the financial media company's United States subsidiary, was tricked into transferring ¥3.2 billion, or roughly $29 million, to a fraudulent bank account in September, Nikkei said in a statement. The employee was following “fraudulent instructions by a malicious third party” posing as a Nikkei management executive. Nikkei has notified law enforcement in both the US and Hong Kong. Although Nikkei didn't say so in the statement, Hing Kong authorities are involved most likely because the money was sent to an account with a Hong Kong-based bank. Banks located in China and Hong Kong are the "primary destinations" for stolen funds, the Federal Bureau of Investigation said in a September Public Service Announcement.
“Currently, we are taking immediate measures to preserve and recover the funds that have been transferred, and taking measures to fully cooperate with the investigations,” Nikkei said. “We are investigating and verifying the details of the facts and causes of this incident.”
The Nikkei America employee is among many victims who made the mistake of thinking the person behind the message was someone to be trusted. Just last month, the City of Ocala in Florida lost $742,000.
“You hear a lot about ransomware, but BEC is causing more damage,” said Stephen Boyer, CTO of security ratings company BitSight, who referred to BEC as a “silent killer.”
BEC refers to scams where employees at an organization receive messages purportedly from another person in the organization, typically a more senior person, asking for money to be sent. The messages may be sent from a domain that looks similar to the real one, or the scammers may have compromised that person's account and sent messages that way. The messages have a somewhat plausible reason for why the transfer has to happen immediately, and takes advantage of people's tendency to trust people they think is part of their organization.
Recently, Spanish law enforcement authorities arrested three individuals for allegedly running a BEC operation that targeted a dozen companies around the world to steal about €10 million, or $11 million. The group is believed to have used phishing emails to take over email accounts belonging to managers at targeted companies, and then sent fraudulent emails to lower-level employees requesting wire transfers. The group attacked fake invoices that looked legitimate and the wire transfers often used banks the victim companies had previously worked with. The police have recovered about €1.3 million, or $1.4 million, in stolen funds from about 16 bank accounts.
Criminals have to be creative with BEC scams as they pull together different pieces of information about the person they are pretending to be and try to convince the victims. BEC is "technically not the most advanced of the attack" but it is effective, as it is "going after the human," Boyer said.
As a form of social engineering, BEC scams are particularly effective. The FBI said BEC scams have been reported in 177 countries and fraudulent transfers have been sent to 140 countries. Based on the victim reports collected by the FBI's Internet Crime Complaint Center (IC3), BEC scams accounted for $26 billion in losses worldwide between July 2016 to July 2019. Many victims don't report being scammed, so the true amount may be even higher.
The United Kingdom's National Cyber Security Center, warned that universities and schools were increasingly being targeted. "The use of spoofed or compromised email accounts to impersonate a university’s partners or suppliers is rising," the NCSC said in September.
Insurance giant AIG said it received more claims for BEC than ransomware and data breaches in the Europe, Middle East, and Asia region in 2018. BEC-related insurance filings accounted for 23 percent of all cyber-insurance claims AIG received in 2018.
There are variations of BEC, such as whaling, which targets senior executives, and vendor email compromise (VEC), where a third party is compromised and their account is then used for the attack. In VEC, fraudsters compromise the inboxes of third-party accounts for vendors—usually by phishing—and then pretend to be the vendor.
The attackers may monitor the email communications to learn who the vendor works with, and figure out when invoices may be sent, Boyer said. They may modify the invoice template with a different bank routing information and the real vendor may not even realize the PDF file was modified. Or they may send emails directly to the victim organizations and initiate the transfer.
In the Florida incident, the scammers posed as a local construction company doing business with the city. A city senior account specialist received an email purportedly from the construction company’s accounting department requesting that its banking information be changed. The request used the city’s own form, which was filled out with all the necessary bank account information. The city employee did not realize that the email address, which had the name of the construction company employee, came from a domain with an extra 's' in the company name. When the construction company later submitted a legitimate invoice, the city paid. The funds wound up in the changed bank account, not the construction company’s actual account.
This kind of change is really hard for victims to flag as fraudlent, because they are not going to suspect anything wrong when the message is coming from a sender they may regularly interact with, from a known entity, Boyer said.
Tackling BEC scams is a two-pronged effort. The first is to protect the accounts to make it harder for attackers to compromise those accounts. That includes methods such as strong and unique passwords to thwart credential-stuffing attacks and enabling multi-factor authentication so that even if the password is stolen, the attackers can't easily take over the account.
McAfee researchers recently warned of a phishing campaign where attackers sent fake voicemail notifications to Office 365 users. Compromised accounts could then be used in a BEC attack. Having two-factor authentication would at least make it harder for attackers to get ahold of these accounts in the first place.
The second is a process one, and requires a bit more planning. For example, the organization may require that money transfers over a certain amount have two authorization signatures, or a voice confirmation, before they can be initiated, Boyer said. It may be fine to set a policy that no payment can be rushed, since attackers frequently put a time pressure on the victim to make them think they have to act quickly.
The process change is necessary, since BEC scams don't need to actually compromise acccounts. As the Florida incident showed, spoofed email accounts or similar-looking email addresses can be successful. Attackers can succeed even if the victim has technical controls in palce, Boyer said.
BEC is about “exploiting the relationship of trust,” Boyer said. “If they can’t get you directly, they will go after you indirectly.”