A business email compromise (BEC) scam is a type of financial fraud that targets organizations, largely industry or enterprise organizations, to transfer money or gain access to sensitive data and/or funds. Like a highly targeted phishing email, BEC attacks ask a simple request but lead to significant financial damages. Recent industry reports suggest that business email compromise is one of the largest cyber threats impacting organizations of all sizes. However, academic investigations of BEC scams are limited. Given the nature of fraud, BEC activities are likely to be underreported. As such, there is limited structured data for quantitative analysis. This highlight paper provides an overview of BEC scams and offers a logic document for collecting evidence. Key evidence pieces include suspect email addresses, linking information, headers for the suspect email, and the ability to document all references to the scam email.
Definition and Scope of BEC Scams
The U.S. Federal Bureau of Investigation reported that it received complaints for BEC scams from more than 40,000 individuals, business entities, and organizations in the U.S. and internationally within nearly a 5-year period. As a result, U.S. companies and organizations lost an estimated total of $2.3 billion to exposed fraud despite a reported recovery of approximately $1 billion. The economic losses, linked to the transfer of funds to domestic and foreign banks, are likely to be much higher as these statistics do not take into account complaints involving specific individuals and zero losses incurred from the rest of the world.
The BEC scam, also known as CEO fraud, is a contemporary form of white-collar crime that specifically targets businesses and other enterprises. Although it is a type of non-technical social engineering attack, losses attributed to BEC scams are particularly significant. Easily overlooked as mere instances of wire fraud, verified losses show that BEC attacks hit corporate and government offices hard, compromising atmospheres of trust and cooperation.
Common Tactics Used in BEC Scams
Commonly seen situations involving a scammer impersonating an individual within a company usually involve an individual within the organization impersonating him or herself. A manager or superior will request construction of an email from an administrative representative or subordinate that is normally followed by an out-of-band communication instructing the subordinate to complete the task. When creating messages and out-of-band instructions, employees can unknowingly expose company data and proprietary security processes. Anytime someone within the company gives instructions to do something for them, confirming the request through a separate medium can protect the business. The request may be legitimate. However, it is better to take time to confirm the legitimacy of the request to avoid recurring problems and the potential impact of lost privacy or proprietary data.
In order to better understand our adversary who might perpetrate a BEC scam, it is useful to know how a scam is conducted. The following is a discussion of some of the more common tactics used in conducting a BEC scam. It is important to remember that those who conduct BEC scams are thieves. The BEC scamming criminal is simply trying to steal. He or she uses techniques that are designed to bypass all known security barriers and victimize business employees. Sometimes a BEC scammer may be involved in other, similar types of identity compromise theft, using the same or very similar tools in the scam. In this respect, we can consider BEC scammers to be white-collar criminals who are conducting a special type of crime. These are not just any email scams that are reported but are, in fact, sophisticated attempts targeting multiple employees in a single business as well as other businesses that have financial relationships with the business being targeted. Following is a description of some of the most common tactics used by a BEC scamming criminal.
Spoofing and Impersonation
Several identity-based authentication protocols have been produced that provide an implementation of these new designations with proven implementations. These new conventions involve producing and signing cryptographic tokens of a claim based on a user’s stated identity, and that can be claimed by anyone else at any time. By contrast, sending an email with a forged sender email address is a simple process and claim, even though the implementation is not particularly sophisticated. The requirements of the IETF indicate that some of the specifications found in the authentication standards need to be reframed to account for this full range of implementations.
Various methods can be employed to spoof an email address such that the email appears to come from a different mailbox than the one it originally came from. These methods allow for additional signatures to be added to an email, to better impersonate someone who isn’t responsible for sending the message. These signatures will enhance the apparent trustworthiness of the email, thereby increasing the likelihood of the success of the phishing scam while reducing the need for an additional such communication. Such impersonation emails are common amongst business email compromise attacks, in which a fraudster forges the email address of an organization’s CEO, commits someone in the victim organization to spend company funds on a Whitgift card, and then uses the voucher to make a payment, before cashing that in for money. The attacker is able to impersonate the company CEO by using emails as messages, quickly issuing commands, and reducing the likelihood of the victim communicating with their boss in person. There are a range of network protocols currently in use by business email companies that prioritize getting the messages into the intended recipient’s Inbox, rather than checking to see if the message is legitimate or the sender has permission to claim the source field; as a result, the presence of these pushy protocols allows the attacker to send a message that looks exactly like it is from a trusted source.
Indicators of a Potential BEC Scam
In the era of electronic payments, organizations that have the use of electronic vendor payment systems are more susceptible to BEC threats than organizations that rely solely on paper checks to pay their invoices. If an attacker can compromise a vendor’s email account, the attacker could send an email to a customer’s accounts payable department that directs the customer to pay the attacker’s bank account instead of the legitimate vendor’s bank account. Upon review of this email, the customer’s accounts payable department performs the electronic payment. The company that has been scammed now owes the legitimate vendor the amount of the invoice, while at the same time previously paid the scammer the same amount. Even if all the funds have not been withdrawn, time is of the essence to have the financial institution act fast to put a hold on the funds while it can perform an investigation—although, if the funds have been withdrawn, this just becomes a one-off expense for the organization which has suffered the financial loss. Although the victim could revisit the fraud with their credit union or bank, time is indeed of the essence. Criminals move quickly. The longer they have access, the higher price the victim could possibly have to pay. The quicker the SAT is involved to make the necessary payments to prevent and mitigate loss, the closer the organization is to limiting its exposure to this type of cyber-attack.
Business email compromise scams are a subset of email account compromise attacks that employ spear phishing for the dual purpose of identity theft and fraud while often incidentally bypassing any evasion and anti-phishing techniques used by the target’s email infrastructure. While there are significant variations across BEC scams, typically fraud schemes occur in three main categories—the diversion of payroll or vendor payments and requests to obtain confidential employee information.
In recent years, business email compromise (“BEC”) scams have become an increasingly common and costly form of fraud against businesses that frequently exploit companies’ supply chains. Microsoft estimates that over 90% of targeted cyber-attacks begin in the form of a spear phishing email that is designed to dupe the recipient into clicking on a link, opening a document, or running a harmful piece of malware. As opposed to employing malware and bypassing technical security defenses, BEC scammers use social engineering skills to entice company employees into voluntarily releasing confidential company financial information or personally identifiable information that can enable an attacker to access financial systems.
Urgency and Pressure Tactics
In some cases, like the example of a company’s CEO becoming incapacitated and either leaving the country or being unable to converse normally, there is nothing else that could feasibly be done to prevent BEC from succeeding. Time is key to the attack, and it is the key that can lead to BEC’s undoing, as careful attention applied to identifying a suspect email can halt the attack and prevent valuable assets or highly confidential information from being stolen. It is the crucial point where the fraudulent email is being dissected that the attack will fizzle out, so it is a key stage in our multistage approach. We will, as such, develop an algorithm to identify whether an email is a BEC scam from the first stages of the scam’s tactics.
A scam that conveys a sense of urgency and pressures someone to act, often without appropriate deliberation, is applying pressure. Scammers use this type of tactic to increase the chance of a payout or response. Most people become prey to BEC scams because they are in a rush and simply do not read the email properly to determine if the request is legitimate. In addition, the stressful situation the scam starts can cause someone to act without thinking twice. The scam was rushed as business email compromise (BEC). This method is used in scams to hurry someone into making a transaction, ensure they don’t have the time to be wary of the situation at hand and avoid asking a colleague for clarification.
Preventative Measures and Best Practices
Businesses should control who has access to any user’s email account. This is done by fingerprinting each device that has any access to employee or company email. Any new or incompatible device should be denied access as a policy function. This technology would prevent phishing scams since the scam’s success depends on the ability to access the victim’s email account. It is essential that companies use state-of-the-art technology that has the capability of detecting and preventing email spoofing and ensure that this technology is employed correctly. While this technology is recommended, it is critical to state that it is by no means a silver bullet. Companies also need to have, and constantly reinforce, best practices in place that guide employees regarding authorizing payment for larger amounts. This includes, for example, requiring an authorized internal official or a second and even a third authorized set of eyes to confirm that the purposes of the sought-after transaction are entirely legitimate.
Training for workers plays a critical component in prevention. However, resource constraints often limit large companies’ investment in educating all employees regarding this kind of cybercrime. It is essential to acknowledge that business email compromise can and does happen to companies of all sizes and sectors. It is critical to recognize the risks and establish the best practices and measures to prevent these kinds of attacks. Given the significant negative financial consequences, business email compromise can have on an individual employee or their employer. However, this paper must stress that to be effective, training and education must be tailored to specific sectors and encompass how these fraud attempts have been conducted and executed against similar businesses.
Employee Training and Awareness Programs
EDC, in particular, could benefit from increased supervision and training, if slightly more subtle indicators of a fake email are needed. Although the recipients of real CEO emails might not know exactly whether such demands could be plausible, higher-level employees such as CxO officers and financial employees should know about procedures that were put in place specifically to avoid unintentional fraud. Executives normally do not request such unusual payments per email. Of course, BEC emails may contain information that is (partially) correct and seem very urgent, but even in this case, employees are instructed to first double-check to see whether any of those red flags are raised.
One way to stop BEC scams could be to stop employees from making mistakes. Therefore, efforts should be directed towards educating and training employees to become more vigilant when handling information and funds. This training could cover what an email scam looks like, but also address how sensitive information should be handled, which channels (if any) exist to request fund transfers, and which procedures are in place to verify the authenticity of (unusual) requests. Mere employee awareness of the possibility of email scams should also help mitigate the damage of such an attack. Research shows that the implementation of awareness programs does indeed lead to a reduction in the number of successful attacks.
Response and Reporting Procedures
Promote intracorporate dialog: Prominently positioning specialized organizational unit translation liaisons/mid-tier translators is a confirmative step that touches on multiple Business Email Scam member areas. It enforces the concept of obligatory review by an additional, diverse member of the organization that has a less business-handling interest in the transaction. Ensuring regular and meaningful communication between the specialized organizational layer concerned with BEC scanning, telephone other than listed ones/domain registration interpretation and management, HR procedures, and routine law enforcement contact have yet to be formalized.
Enact common reporting procedures: A potentially powerful method for sharing BEC scam timing and action patterns is to increase frequency and severity in the publication of well-analyzed BEC cases. Even more effective would be the combination of BEC report protocols for business with ongoing communication analytics between organizational overlapping members. Further, even more powerful than reports generating recommended direct future investigations would be collaborative crosstalk specifications for recommended corporate action.
Report BEC scams: There are only trivial methods to learn how BEC scams are working other than analysis of actual scams. Further research into the characteristics, timing, and ultimate paths of BEC can and will be of great strategic value to organizations and responders.
Develop organization BEC threat profiles: Every organization has non-static risks that can be converged with BEC. Drawing on both internal reviews and external sources, internal monitoring procedures can model these circumstances in both moderate risk and severe risk cases. These models should evolve as conditions and technologies in BEC evolve.
Given the intricate web of BEC, deepening our understanding of the human and technical components involved in unfolding a BEC scam may well be the best policy that can be implemented. Here are five highlights as to how organizations and infrastructures may engage in procedures to form, implement, and/or improve such an understanding.
Internal Reporting Protocols
Having these types of internal escalation reporting protocols encourages staff to remain vigilant for indicia of fraud associated with such instructions. This creates an inclusive working environment that values staff contributions in identifying fraud earlier. Identifying fraud earlier generally puts a firm in a stronger position and provides more options to manage the risks and potentially reduce further losses to the entity or its clients.
A key component in detecting potential business email compromise fraud is having internal reporting protocols in place, which enable both staff and management to report suspicious client instructions, unusual client requests, or sense any ‘red flags’ associated with a particular transaction or client. Reporting mechanisms should not just be about email scams, but also more traditional scams such as direct mail or telemarketing fraud, which have the potential to create additional losses to a firm or its clients. Furthermore, such mechanisms provide additional staff reassurance and comfort that their employer is also taking this issue seriously and is keen to gather intelligence in protecting both the entity and its clients from becoming victims.