Just when you thought it was safe to go back in the [email] water… Phishing gets serious. Of course, you should never let your guard down on phishing and spoofing, but there’s a bigger shark in the water now; one that impersonates important people within an organization. This new type of scam is referred to as Business Email Compromise, or “BEC.” These emails use similar tactics to phishing but are much more targeted, and directed at a specific individual or a small group or individuals. They prey on the fact most people will not question a company executive or a vendor making changes to their systems.
Let’s put ourselves in the shoes of a scammer. Where do you want to spend your time when you’re working? You’ll likely say, “On things that will produce the best value for the effort. Phishing a consumer might net a few hundred to a couple thousand dollars at a time. Why not look at a different target with much deeper pockets? In July 2018, the FBI released a report estimating “between December 2016 and May 2018 there was a 136% increase in identified global exposed losses due to the [BEC] scam, to $12.53 billion. (“Exposed losses” includes both actual and attempted dollar losses.)”
There are several variations of BEC fraud to consider, but they all operate with similar tactics and targets:
Typically, an individual within a finance role will be the targeted victim. Why? They likely have access to conduct money transfers for an organization. The scam usually starts with a generic email trying to get a response from the intended target. It could be something as simple as, “Are you in the office today?” While responding, the individual is providing all kinds of useful details about themselves and their organizational role. How? An email signature, which is commonly included in corporate emails and contains information such as phone number, proper title, and full name.
The second contact often comes with a request about an upcoming purchase or a potential bill needing to be paid quickly, in secret, or with little information from the requestor. The next contact could outline a secret deal to buy a company, or the purchase of goods and services from a new vendor. These will also usually arrive from an email address similar in nature to the actual individual being impersonated, but not from their actual email address (i.e., from a Yahoo or Gmail account instead). This is used to circumvent authentication solutions such as SPF, DKIM, and DMARC used on a business domain.
To make these scams more believable, multiple touchpoints will now be used: The fake account calling with questions and asking about specific details of the email (to make it more believable), additional emails from the requestor asking if they have talked to the accountants, and possibly supporting documents seemingly verifying this type of activity. Those documents could also include malware to gain direct access to the victim’s computer.
Remember: All these tactics will focus on urgency and secrecy. The number of touch points and contact is only added in to build on the fact this is urgent, and to confuse or fluster the target into completing the transfers.
Start by recognizing the tactics used in a BEC. If you can see through the scam, you are already ahead of the game. Consider adding internal roadblocks to deal with BEC type situations.
Setting policies and enforcing them at all levels limiting the ability for one person to make or authorize a transfer of a large sum of money can help prevent scams and reduce your risk. Educating finance staff and having a plan in place for all transfers from your organization, starting at the top down, can help identify and stop these attacks.
Ultimately, build in safeguards to protect against Human 1.0, a software not easily patched and hard-wired to be helpful and empathetic towards others. Your business may depend on it.