Security news that informs and inspires

The Rise and Rise of Business Email Compromise Scams

For several years now, scammers have been using sophisticated email campaigns to defraud businesses of all sizes through the use of fake invoices, wire transfers, and international payment requests. The scams often rely on compromised email accounts inside a target organization, and the operations are growing at a terrific rate, with losses in the United States alone of nearly $3 billion in the last 18 months.

These campaigns are known as business email compromise (BEC) scams and they’re essentially highly targeted and well-researched versions of traditional phishing ploys. Rather than relying on users to click on malicious links or open rigged attachments, attackers use BEC emails to entice victims into taking some action based on the urgent language in the message and their relationship with whomever purportedly sent the email. Often, a message will come from a legitimate email account that an attacker has gained access to, either through social engineering or a targeted compromise. Those initial targets can be high-level executives or others who have some financial authority in a given organization and the emails usually are sent to a lower-level employee. Other times, the attacker will compromise an employee in accounts payable and wait for an opportunity to pounce.

“Sometimes you see them play man-in-the-mailbox where they’ll just sit and watch an inbox and wait for a purchase order to come through and then inject new banking and routing information into it,” said Ronnie Tokazowski, a senior malware analyst at Flashpoint who has been tracking BEC scams for several years. “You see that a lot in real estate transactions where they act like the mortgage broker or lawyer.”

The scammer’s goal in these campaigns is to get the email recipient to complete a wire transfer or other payment to an account the scammer controls. The email may look like an overdue invoice or an urgent request from the recipient’s CFO to complete a payment within a few hours as part of a big deal or acquisition. The idea is to create a sense of urgency and play off the recipient’s implicit trust in the sender.

It’s a clever scheme and it’s paying huge dividends. Between December 2017 and May 2018, BEC campaigns caused more than $12.5 billion in actual and attempted losses around the world, including $2.9 billion in the U.S., according to new statistics from the FBI’s Internet Crime Complaint Center (IC3). Although BEC scams have been seen in a number of different industries, including manufacturing, technology, and financial services, the FBI said attackers increasingly have been targeting organizations and individuals involved in real estate transactions.

“Victims participating at all levels of a real estate transaction have reported such activity to IC3. This includes title companies, law firms, real estate agents, buyers and sellers. Victims most often report a spoofed e-mail being sent or received on behalf of one of these real estate transaction participants with instructions directing the recipient to change the payment type and/or payment location to a fraudulent account,” the FBI said.

“The funds are usually directed to a fraudulent domestic account which quickly disperse through cash or check withdrawals. The funds may also be transferred to a secondary fraudulent domestic or international account. Funds sent to domestic accounts are often depleted rapidly making recovery difficult.”

"From each party’s perspective, these transactions look legitimate and it’s only after the fact that people realize what happened."

From the beginning of 2015 through the end of 2017, BEC complaints from real estate transactions increased 1100 percent and losses jumped by 2200 percent to nearly $20 million. People and organizations involved in real estate may be especially susceptible to these scams because such transactions are often time-sensitive and many times the parties involved don’t know each other well. Also, there’s usually a lot of information publicly available about property purchases, so scammers can gather fodder for their emails and reconnaissance phone calls without much effort.

“They’ve really stepped up their game on this lately,” Tokazowski said.

BEC campaigns have been on law enforcement’s radar for a few years now, and they have had some success in targeting the scammers behind them. In June, the FBI, Department of Homeland Security, and other agencies arrested 74 people and recovered about $14 million as part of major takedown called Operation WireWire. But even with that kind of group off the board, there are still plenty of others eager to step in and take up the slack.

“Even with the WireWire takedown we still see a lot of this going on. From each party’s perspective, these transactions look legitimate and it’s only after the fact that people realize what happened,” Tokazowski said.

Defending against BEC scams can be more difficult than spotting a normal phishing email, thanks to the number of people and organizations involved. Tokazowski recommends that organizations follow their normal approval process for payments or wire transfers, no matter how urgent the request seems to be.

“There are so many moving parts that it’s a really complex problem. I always tell people to think before you send money,” he said. “When money gets wired out, normally you have several people who need to sign off on it and it’s those checks and balances that can catch this. When that process breaks down, that’s when these scams work.”