Business Email Compromise is the danger lurking in your inbox
Do you suffer from arachnophobia? It’s easy to see why those creepy-crawly little guys can strike fear into the hearts of many.
What if we told you there is a threat creeping into your inboxes that should scare business owners as much as spiders?
Officially it’s called CEO Fraud or Business Email Compromise (BEC). At 360 Smart Networks, we have decided to give it the more descriptive name “Deadly Flying Spiders” or DFS. It seems BEC doesn’t inspire the required level of fear and attention, but it certainly should.
DFS can and will attack anyone.
If you move money from one point to another, whether buying, selling or giving, you are being stalked by DFS.
The annoying part is that unlike DFS, BEC is completely avoidable and should almost never be an issue.
So how does BEC work?
The scam is a type of theft by deception. BEC criminals compromise business e-mail accounts to manipulate victims into transferring funds. The attacker gains access to an individual’s email and monitors their actions. They read the emails, study the calendar, and use the information they find in a social engineering attack. Anyone is a target, but those working with accounts receivable or payable are the most likely victims.
After getting an understanding of how money moves from one point to another, they try and insert themselves into the transaction. They will try submitting a fake invoice or asking for payment on real invoice. They will try to create a sense of urgency for a payment based off your schedule (at the end of your work week), or when they think you won’t be able to respond (on vacation etc.). Money is paid via wire as requested and disappears into a web of international transfers.
Here are some examples of BEC methods:
- An attacker searches for real estate agents in the Atlanta area and finds one with a Yahoo account.
- Thanks to the 2014 Yahoo hack, the attacker is able to find the real estate agent’s login credentials. The offender can access the account because the realtor never changed their password.
- Next, they read emails for weeks and identify a house on the market with an interested buyer. They get the contact and personal details for everyone on an email chain about the listing including the buyer and seller.
- On Friday afternoon (closing is on Monday) they send the seller an urgent request to wire the down payment. The information to the account is listed in an email attachment. It looks legitimate, but it has a different account number.
- Buyer wires funds quickly and goes away for the weekend as planned (and mentioned to the realtor in an email.)
- Monday morning comes and around the closing table, the buyer is asked to transfer funds….
- User falls for a fake email from “Microsoft” and logs into a fake Office 365 account, thereby giving the attacker access to their email account.
- In the user’s account, they find a recent invoice from a vendor. They create an email address like the vendors.
- They send the victim a threatening email saying that he has to pay right away or all services will be stopped immediately. His calendar entries show that he is on vacation so they send him the urgent email while he is on the beach.
- Victim calls his bank and pays invoice via wire transfer
- Money is gone.
At 360, we take a lot of time and energy to make sure our clients’ email systems are secure, but in each case that we’ve seen the breach was in the weakest spot. Why go through the effort of getting into a protected professional email if you can get into the compromised Yahoo account? All you need is to be a silent participant in the chain. You don’t have to have access to the root sender.
There are a variety of tactics used in BEC. Criminals create fake domains and leverage the victim’s digital footprint for personal information.
As usual, the many perpetrators are overseas in jurisdictions where they are difficult to find. They can be individuals or organized criminal gangs.
What is the best way to fight this type of fraud?
If these were actual flying spiders, the solution would be interesting. But the answer is simple.
Two words – accounting controls.
Most IT firms will suggest you harden your email system, which should be a default, but remember the attack doesn’t need to be inside your system. It only has to be somewhere in the chain.
So try and incorporate as many of the following points into your payment policy:
1. Verify payment details independently for any new, or change to existing vendor
2. Don’t call the number on the invoice or email – verify the contact details online and verbally verify the change with a trusted party.
3. Assess the email address on the emailed request – pay attention to the details of the name and look for small variations.
4. Pay attention to timing. Remember that access to emails usually means access to calendars. Handle any urgent requests with caution. We see spikes just before major public holidays.
5. Listen to your gut – if it doesn’t feel right, flag and follow up.