Watch out for Business Email Compromise

In 2013 the FBI noticed a new attack that they called business email compromise (BEC) sometimes called CEO fraud (although it doesn’t always involve the CEO).  This is a simple attack that criminals use to steal money and financial information from all sorts of companies.  Targets have included large and small corporations, non-profits, churches, and schools.  As of 2018 BEC has cost over $12.5 Billion dollars and is on the rise.  It is an attack that relies on one major point, deceiving the person on the other end of the email, but on a more sophisticated level than your typical spam or phishing emails, often the criminals that use these techniques employ linguists, hackers, and lawyers making everything seem much more believable.  The criminals start by targeting a specific organization and then researching the company and following employees on social media.  They will use this information to find out how the business works, who has access to financial information and how they communicate to craft their attack.  Sometimes they will go even further by using malware to infect a company’s computers then sitting there stealthy for weeks or months studying who the organization uses for vendors, when they work, and how emails are created and sent and how has the most power in the company.

Once the criminals have enough information, they will launch their attack, usually by waiting for a high-level employee to be away, the criminals will know this from either watching social media or reading internal company emails.  It usually starts by sending a bogus email, from a similar looking email account as a very high-ranking employee (like CEO or CFO) to someone that can transfer money.  They will use the same email speech patterns of that high-level employee and instill a sense or urgency and importance in the email.  The request is usually for a very important wire transfer that needs to be done ASAP for business to continue with a vendor or client.  Since the high-level employee is usually gone at this time, there is not an easy way to verify this claim, and usually the transfer is made, but the money is going straight into the criminals’ pockets.  Usually the fraud is not discovered until later when that high-level employee has returned or someone else notices nothing awry, if it is not discovered in time, it is almost impossible to get the money recovered.

Anatomy of the Attack

What can you do to protect yourself from business email compromise?

• Make sure to confirm requests for transfers by using phone verification as part of a two-factor authentication
• Make sure to closely inspect all email requests for any sort of transfer of money
• Create a way for employees to easily report any suspected fraudulent emails
• Have an intrusion detection system in place for emails that monitor for emails coming from similar but slightly different domains.
• Color code virtual correspondence so e-mails from employee/internal accounts are one color and e-mails from non-employee/external accounts are another.
• Verify changes in vendor payment location by adding additional two-factor authentication such as having secondary sign-off by company personnel.