The head of finance has just received an email from the CEO: “I’m heading out of town and will be out of reach for the next several hours, but we need to make a wire transfer asap to bank account #XXXXXXX.”
This is a Business Email Compromise (BEC) scam, a type of financial fraud designed to steal money from businesses and individuals. The CEO’s email account has been compromised--via a keylogger or social engineering--and the head of finance should flag the message for IT, not call the bank.
Attackers use phishing, social engineering and other hacking tactics to convince employees with access to company finances to make wire transfers into criminals' bank accounts. Typically, an attacker will impersonate high-level executives at a company (like a CEO or CFO) and send phishing emails to employees requesting either a money transfer or sensitive data that can be used to commit fraud.
By researching publicly available information on the corporate hierarchy, staff, and payment patterns, attackers were able to craft a convincing email that appeared to come from the company's CEO.
According to the FBI, more than $12 billion in domestic and international loss between October 2013 and May 2018 were due to BEC scams. Earlier this year, Department of Homeland Security, the Department of Treasury, and the U.S. Postal Inspection Service arrested 74 people in the United States, Nigeria, Canada, Mauritius and Poland as part of Operation WireWire. As part of the takedown, federal law enforcement seized nearly $2.4 million and recovered $14 million in fraudulent wire transfers.
A real-world example of a BEC attack involves Xoom Corporation, an online, international wire-transfer provider based in California. Spoofed emails sent to their finance department resulted in a transfer of $30.8 million to fraudulent overseas accounts.
Another incident targeting the U.S. toymaker Mattel resulted in a $3 million wire transfer to Chinese hackers that was eventually recovered. This involved a spear phishing email sent to a finance executive that approved large cash transfers. By researching publicly available information on the corporate hierarchy, staff, and payment patterns, attackers were able to craft a convincing email that appeared to come from the company's CEO.
Since the primary motivation of BEC attacks is to get money, attackers research the organization to identify who to target (can make wire transfers) as well as who to impersonate (can make the request). Recent research of 3,000 BEC attacks from Barracuda Sentinel found that attackers typically impersonate CEOs 43 percent of the time, compared to CFOs, just 2 percent of the time.
Targets tend to be employees that report to leadership. While CEOs were targeted only about 2 percent of the time, CFOs made up 17 percent of the targets, and members of finance and human resources teams were targeted an equal number of times. The attackers try to make the recipients--frequently in IT, sales, marketing, and operations--nervous about questioning people that are senior to them on the organizational chart.
The CEO or CFO would be more likely to stop and ask why someone needs to go out of the normal chain of command for a wire transfer. Someone in middle management will be less likely to question the authority figure seeming to make that request.
Safeguarding Against BEC
The FBI's tips on protecting against a BEC scam can help prevent financial fraud or a data leak.
- Verify email communication or requests over a different channel, such as in person or over the phone.
- Use a second form of verification for wire fund transfers.
- Flag emails with extensions similar to company email domain names.
- Flag email communications where the reply email address is different from the from email address shown.
Targets tend to be employees that report to leadership.
The U.S. Chamber of Commerce has instructions for victims of BEC scams. Acting within one or two days means the company might be able to recover the stolen money.
- Contact both banks involved in the transfer.
- Contact your local FBI or Secret Service field office.
- For financial losses less than $100,00, file a report through FBI's Internet Crime Complaint Center (IC3).