Social media platforms may have taken over as the most common mode of communication, but email continues to be the preferred tool for business communication. Research conducted by The Radicati Group, a technology market research firm, predicts this love affair with email will result in explosive growth reaching 319.6 billion emails received and sent daily by 2021. It’s no wonder the piercing eyes of cybercriminals have fixated on ways to compromise one of the essential business communication tools.
What is Business Email Compromise (BEC)?
Spearphishing (1) on steroids is how law enforcement officials like to think of BEC. Sometimes called man-in-the-middle (2) attack or whaling (3), its purpose is to deceive an organization’s personnel, primarily accounts payable, into handing over vast sums of money.
Between October 2013 and December 2016, the FBI discovered that over $5.3 billion was lost to BEC scams globally.
How Does Business Email Compromise Work?
Like most successful cyberattacks, BEC is a multi-component stealth exercise that takes advantage of a blend of technology and the human factor.
BEC can be broken down into four distinct phases:
1. Profiling
BEC fraud starts with the surveillance of a targeted company. BEC only works if the cybercriminal understands how the target thinks, so this intelligence is required to jump the trust-barrier hurdle. Gathering intelligence usually includes spearphishing to acquire access to a system to harvest credentials or install malware. The information is then used to extract information and to obtain unauthorized access to executive schedules and calendars which enables the cybercriminal to construct a profile of the victim, frequently a high-level executive in the organization.
Cybercriminals do their homework to acquire a variety of information. When targeting a victim, they will research the following:
- general information
- regarding the organization (for instance, where it does business and with whom).
- management organizational structure to include titles and names of company officers.
- information about new rounds of funding.
- data about new services, products, and patents.
- geographic or product expansion plans.
- executive travel plans.
2. Playing-with-You
The information acquired when profiling the organization offers the cybercriminal an understanding of the hierarchy of the organization. They pick one or more targets, typically an individual in the company’s financial structure, most commonly accounts payable, trusted with payment decisions. The cybercriminal may develop a relationship with the targeted person using emails or phone calls over several weeks to foster trust between the cybercriminal and the targeted person.
3. Going-In-for3-the-Kill
Once the cybercriminal has established trust, they will send the killer email requesting a wire transfer of funds because a wire transaction cannot be reversed. At this point, the targeted individual has built a relationship, trusts the person they think they are dealing with, and sends the wire transfer, not suspecting what is happening.
4. Cash-In-and-Run
The victim transfers the cash to the cybercriminal’s account. The victim may not even know a crime was committed until a company audit.
Business Email Compromise Comes in a Variety Of Themes
BEC scams tend to follow a theme. The three most common types include:
1. CEO Impersonation
This type of BEC crime focuses on mimicry, close surveillance, trust, and deception. The cybercriminal has obtained the CEO’s or other executives’ email addresses through profiling. They then send a spoof email using the executive’s email address.>
How do they do it?
Cybercriminals can alter different sections of an email to disguise the actual sender. Some cybercriminals spoof-alter emails by hand, but they create the vast majority of spoofed emails with special software. Cybercriminals using the software can alter the From line, the Reply-To line, the Return Path, and the Source IP. Cybercriminals can easily change the first three properties by using Microsoft Outlook, Gmail, Hotmail, or other email software settings. Changing the fourth property, the IP address, requires sophisticated user knowledge to make a false IP address convincing.
Another method less sophisticated cybercriminals use is spoofed emails using an address very close to the actual one, e.g., chloe.matthews@mycompany.net could easily be chloe.mathews@myycompany.net.
The cybercriminal then directs an urgent email to the head of the finance department. The email will put the individual under pressure to transfer funds immediately to a given bank account or lose a significant deal.
2. Invoice Error in My Favor
There are two varieties of this ruse:
1. Email compromise:
Another mode of the BEC scammer is to employ a legitimate invoice and modify it, a Monopoly bank error in my favor attack. In this situation, the cybercriminal again uses trust and deception as the foundation of the attack. The cybercriminal surveils the finance department of a company before phishing an explicit company employee, typically in accounts payable. The spearphishing email enables them to harvest credentials and compromise the email account. Then, they watch emails, intercepting any that encompass an invoice. They change the payment instructions on the selected invoice and permit it to be processed right into their bank account.
2. Email spoof:
Another way of getting the illegitimate invoice in front of accounts payable is to employ the same spoofing process as in the CEO impersonation. In this method, an invoice apparently sent from a recognized vendor chosen during the profiling phase is received. The email address accompanying the invoice is so similar to the legitimate vendor it goes unnoticed. Accounts Payable issues payment, and the scam is complete.
3. CEO/Attorney Scam
This one is similar to the CEO impersonation scam. A cybercriminal identifies the CEO of an organization and sends out a spoofed or compromised email from that CEO with particulars of a secret company acquisition or something related to the finance department. The email explains that an attorney will follow up with orders on how the finance department will proceed. The finance person receiving the email is co-opted into this essential and secret deal by building a special and trusted relationship. Finally, the financial representative receives a phone call or an email from the attorney with the details for the wire transfer. They then use these specifics to transfer the funds and seal the deal.
The top BEC subject lines are the following key phrases:
Request Follow-up Urgent/Important Are you available?/Are you at your desk? Payment Status
Hello Purchase Invoice Due Re: Direct Deposit Expenses Payroll
The targets of the BEC threat range from large corporations to small businesses, according to the FBI. Victims also belong to various trades, with no one sector appearing to be a preferred target. BEC is a profitable crime because of the financial nature of the targets.
- Spearphishing: an email or electronic communications scam targeted towards a specific individual, organization, or business to steal data for malicious purposes; cybercriminals may also plan to install malware on a targeted user’s computer.
- Man-in-the-middle: derived from the man-in-the-middle attack where two parties believe they are talking to each other directly, but in reality, an attacker is listening in and possibly altering the communication.
- Whaling is a specific form of phishing (the attacker sends an email purporting to be from a valid financial or eCommerce provider) targeted at high-profile business executives, managers, and the like.
- Spearphishing: an email or electronic communications scam targeted towards a specific individual, organization, or business to steal data for malicious purposes, cybercriminals may also plan to install malware on a targeted user’s computer.
- Man-in-the-middle: derived from the man-in-the-middle attack where two parties believe they are talking to each other directly, but in reality, an attacker is listening in and possibly altering the communication.
- Whaling: a specific form of phishing (the attacker sends an email purporting to be from a valid financial or eCommerce provider) that’s targeted at high-profile business executives, managers, and the like.