The FBI has released a public service announcement regarding the ever-present threat of Business Email Compromise (BEC). This comes hot on the heels of an earlier release from the Las Vegas FBI department in April. Losses continue to mount, and we’re currently facing a scam racking up domestic and international losses of $43 billion.
What is Business Email Compromise?
BEC attacks, also known as CEO/CFO fraud, is financial in nature and targets organisations of all sizes The basic game plan is to pretend to be someone at executive level, and then convince an employee to help them wire funds outside of the company. Loss numbers are frequently significant, and it’s a very appealing tactic for scammers looking to get rich quick.
As the FBI points out, the goal is not always a direct fund transfer:
One variation involves compromising legitimate business email accounts and requesting employees’ Personally Identifiable Information, Wage and Tax Statement (W-2) forms, or even cryptocurrency wallets.
With any foothold gained inside the organisation, BEC attempts which run into frustration can potentially pivot into other areas of attack as we’ll mention later. With so many avenues of approach, it’s no wonder BEC attracts the attention of law enforcement at the highest levels.
The FBI BEC numbers game
- $43 billion vanished between June 2016 and December 2021. There were 241,206 domestic and international incidents between those two dates.
- The FBI observed a 65% increase in losses suffered between July 2019 and December 2021, which feels like a significant ramp-up.
- The overwhelming number of organisations filing victim complaints to the IC3 between October 2013 and December 2021 were based in the US.
The report goes into more detail, but the short version is that US organisations are suffering quite a bit from this type of attack. It’s possible that BEC still isn’t as well known as it should be. It’s also possible that the pandemic has contributed to a lack of funds for appropriate security measures and training for employees. Whatever the reason, we’ve definitely reached the part where alarm bells are ringing loud and clear.
The rise of cryptocurrency in BEC fraud
As with so many forms of online criminal activity, law enforcement is noticing an increase in cryptocurrency use. This area of concern is particularly fascinating, first identified in BEC attacks in 2018 and continuing to build through to 2021 with just over $40m in exposed losses. This will almost certainly continue to increase. No BEC fraudster will turn down the chance of fast transactions easily made online with a degree of anonymity attached to the process. Here’s what the FBI has to say about some of the cryptocurrency tactics deployed:
The IC3 tracked two iterations of the BEC scam where cryptocurrency was utilized by criminals. A direct transfer to a cryptocurrency exchange (CE) or a “second hop” transfer to a CE. In both situations, the victim is unaware that the funds are being sent to be converted to cryptocurrency.
6 tips to avoid BEC scams
- Your business should have an approved method for money transfers and anything of a financial nature. If cash goes out of the organisation in any way, it has to stick to the process. Deviating under any circumstance is a tiny gap in your armour that could prove fatal. “We only did it one time” often results in “We just lost a terrifying amount of money somehow”. Urgent same-day requests for wire transfers? Head straight to the page which hopefully insists upon no urgent same-day wire transfer requests ever.
- Some form of authentication to confirm your CEO/CFO is pulling the money-lever for real should be in place. Phone conversations are great for this. Any accounts tied to exec level should also have some form of Multi-Factor Authentication (MFA) attached to it whether or not there’s financial activity involved. Email accounts? Internal logins? Anything at all? App-based authentication or a physical hardware token is the way to go. Sometimes attackers aren’t just spoofing real emails, they’re compromising them to send money requests too. Authentication will go a long way to ward this threat off.
- You can’t realistically hide who your executives are from the world at large. One way or another, they’re going to be on an “About Us” page. Limit the amount of data exposure. Consider placing generic “catch-all” email addresses on the contact page. It doesn’t have to be their actual, personal email address. Don’t tell everyone on social media that the CEO is on vacation for a week, or even just travelling. When people targeted by BEC scams are potentially hard to get hold of, BEC fraudsters will likely strike.
- Email security plays a big part in cutting these attacks off at source. Deactivate accounts belonging to former employees, especially if they were part of the exec team: Malicious activity is a feature of old, abandoned addresses. Rules for suspicious looking emails coming into the organisation and also being sent around internally should be made use of. Any form of digital authentication/digital signatures to verify the sender will also help. Prominent “external sender” flags on mails are very handy tools to cut down on mail imitation.
- If the BEC tactics aren’t working, the attacker could decide to switch to malware instead. Emails from random addresses containing attachments such as fake invoices should be quarantined, especially when mail security tools detect potential keywords or phrases related to BEC indicators. Boobytrapped Excel sheets, for example, are one of the mainstays of ransomware compromise. Don’t dodge the BEC bullet only to be taken down by file encryption on a massive scale instead.
- Tell employees that it’s totally fine to question requests for payment or money transfer, especially if totally out of the blue. Even more so if it’s not something they’d have any involvement in. Why is the CEO asking someone in building maintenance to help them wire $30,000 through Hong Kong at 3 in the morning?
The challenge of BEC compromise
This is clearly a tricky problem to get to grips with, or else the FBI wouldn’t be publishing multiple alerts and public service announcements about it. The ever-increasing losses speak for themselves. The slowly growing relevance of cryptocurrency to BEC attacks paints a stark picture of where this tactic is headed. Try to implement as many of the tips above as possible.
Most importantly, don’t be pressured into sending money without doing some additional digging first. It may well prove to be one of the smartest work decisions you’ll ever make.