Social media platforms may have taken over as the most common mode of communication, but email continues to be the preferred tool for business communication. Research conducted by The Radicati Group, a technology market research firm, predicts this love affair with email will result in explosive growth reaching 319.6 billion emails received and sent each day by 2021. It’s no wonder the piercing eyes of the cybercriminal have fixated on ways to compromise one of the essential business communication tools.
What is Business Email Compromise (BEC)?
Spearphishing1 on steroids is how law enforcement officials like to think of BEC. Sometimes called man-in-the-middle2 attack or whaling3 its purpose is to deceive an organization’s personnel, primarily accounts payable, into handing over vast sums of money.
Between October 2013 and December 2016, the FBI discovered there was over $5.3 billion lost to BEC scams globally.
How Does Business Email Compromise Work?
BEC is a multi-component stealth exercise; just like most successful cyberattacks, and takes advantage of a blend of technology and the human factor.
BEC can be broken down into four distinct phases:
BEC fraud starts with the surveillance of a targeted company. BEC only works if the cybercriminal understands how the target thinks so this intelligence is required to jump the trust-barrier hurdle. Gathering intelligence usually includes spearphishing to acquire access to a system to harvest credentials or install malware. The information is then used to extract information and to obtain unauthorized access to executive schedules and calendars which enables the cybercriminal to construct a profile of the victim, frequently a high-level executive in the organization.
Cybercriminals do their homework to acquire a variety of information. When targeting a victim, they will research:
- general information
- regarding the organization (for instance, where it does business and with whom).
- management organizational structure to include titles and names of company officers.
- information about new rounds of funding.
- data about new services, products, and patents.
geographic or product expansion plans.
- executive travel plans.
The information acquired when profiling the organization offers the cybercriminal an understanding of the hierarchy of the organization. They pick one or more targets, typically an individual in the financial structure of the company most commonly accounts payable, trusted with payment decisions. The cybercriminal may develop a relationship with the targeted person using emails or phone calls over several weeks to foster trust between the cybercriminal and the targeted person.
Once the cybercriminal has established trust, he/she will send the killer email requesting a wire transfer of funds because a wire transaction cannot be reversed. At this point, the targeted individual has built a relationship and trusts the person they think they are dealing with and sends the wire transfer, not suspecting what is happening.
The victim transfers the cash to the cybercriminal’s account. The victim may not even know a crime was committed until a company audit.
BUSINESS EMAIL COMPROMISE COMES IN A VARIETY OF THEMES
BEC scams tend to follow a theme. The three most common types include:
1. CEO Impersonation
This type of BEC crime focuses on mimicry, close surveillance, trust, and deception. Through profiling, the cybercriminal has obtained the CEO’s or other executive’s, email addresses. He/she then sends a spoof email using the executive’s email address.>
How do they do it?
Cybercriminals can alter different sections of an email to disguise the actual sender. Some cybercriminals spoof-alter emails by hand, but they create the vast majority of spoofed emails by special software. Cybercriminals using the software can alter the From line, the Reply-To line, the Return Path, and the Source IP. Cybercriminals can easily change the first three properties by using settings in Microsoft Outlook, Gmail, Hotmail, or other email software. Changing the fourth property, the IP address requires sophisticated user knowledge to make a false IP address convincing.
Another method used by less sophisticated cybercriminals is spoofed emails using an address very close to the actual one, e.g., email@example.com could easily be firstname.lastname@example.org.
The cybercriminal then directs an urgent email to the head of the finance department. The email will put the individual under pressure to transfer funds immediately to a given bank account or lose a significant deal.
2. Invoice Error in My Favor
There are two varieties of this ruse:
1. Email compromise:
Another mode of the BEC scammer is to employ a legitimate invoice and modify it, sort of a Monopoly bank error in my favor attack. In this situation, the cybercriminal again makes use of trust and deception as the foundation of the attack. The cybercriminal surveils the finance department of a company before phishing an explicit company employee, typically in accounts payable. The spearphishing email enables them to harvest credentials and compromise the email account. Then, they watch emails, intercepting any that encompass an invoice. They change the payment instructions on the selected invoice and permit it to be processed right into their bank account.
2. Email spoof:
Another way of getting the illegitimate invoice in front of accounts payable is to employ the same spoofing process as in the CEO impersonation. In this method, an invoice apparently sent from a recognized vendor chosen during the profiling phase is received. The email address accompanying the invoice is so similar to the legitimate vendor it goes unnoticed. Accounts Payable issues payment and the scam is complete.
3. CEO/Attorney Scam
This one is similar to the CEO impersonation scam. A cybercriminal identifies the CEO of an organization and sends out a spoofed or compromised email from that CEO with particulars of a secret company acquisition or something related to the finance department. The email explains that an attorney will follow up with orders on how the finance department is to proceed. The finance person receiving the email is co-opted into this essential and secret deal by building a special and trusted relationship. Finally, the financial representative receives a phone call or an email from the attorney with the details for the wire transfer. They then use these specifics to transfer the funds and seal the deal.
The top BEC subject lines are the following key phrases:
Request Follow-up Urgent/Important Are you available?/Are you at your desk? Payment Status
Hello Purchase Invoice Due Re: Direct Deposit Expenses Payroll
The targets of the BEC threat range from large corporations to small businesses, according to the FBI. Victims also belong to a variety of trades, with no one sector appearing to be a preferred target. BEC is a profitable crime because of the financial nature of the targets.
- Spearphishing: an email or electronic communications scam targeted towards a specific individual, organization, or business to steal data for malicious purposes, cybercriminals may also plan to install malware on a targeted user’s computer.
- Man-in-the-middle: derived from the man-in-the-middle attack where two parties believe they are talking to each other directly, but in reality, an attacker is listening in and possibly altering the communication.
- Whaling: a specific form of phishing (the attacker sends an email purporting to be from a valid financial or eCommerce provider) that’s targeted at high-profile business executives, managers, and the like.