E-mails are a great way to communicate in our increasingly digital world. Nevertheless, vigilance is advisable when you are communicating through screens instead of face-to-face: You might be dealing with someone else than who you think you are!
Criminals are becoming more and more adept in setting up e-mail scams that are growing more sophisticated. One of those cons is called “Business E-mail Compromise” (BEC) that aims to trick executives into wiring money to fraudsters.
This kind of attack is a subset of phishing and is known by various names: CEO-fraud, spoofing, social engineering, social hacking, whaling, etc. One thing is common; they are all based on temporarily taking a false identity. This growing threat to businesses is like a real-life Trojan Horse.
The amounts lost through these practices are not well documented as such events are often kept silent in the interest of the investigation or to avoid image loss. Nevertheless, the Federal Bureau of Investigation (FBI) estimated the international cost is over 2 billion euros over the past 3 years. It claims also that BEC has been reported in at least 79 countries and the majority of the fraudulent transfers appear to be going to banks in China and Hong Kong. A close example for us is the Belgian bank Crelan who became a victim in early 2016 (reported loss of 70 million euros).
Technique / How does BEC work?
The thieves like to outsmart employees and set up a situation in which they successfully masquerade as another by falsifying e-mails. They intercept e-mail traffic and study the company structure to identify high-level executives, accountants, bookkeepers, etc. To collect these information, they use public sources, social media, financial statements (annual accounts), etc.
They try to obtain an e-mail address from an employee in order to assemble the similar e-mail address of managerial titles. Lazy scammers even open a free Hotmail- or Gmail- account (with abuse of name) and kick off their bluff poker saying they use a private mail-address as it needs to go fast. In fact, there is relatively little technical knowledge or expertise needed and this makes it accessible for entry-level scammers. Moreover, the fake e-mail usually doesn’t contain malware to pass through the SPAM filter thereby sidestepping basic security strategies.
They pretend like a high-level executive to manipulate the chosen targets. The false identities come in different forms like the (Vice) Chairman, CEO or CFO, a senior director, a major shareholder etc. but also fake bank employees, lawyers, auditors, etc. have been reported.
The e-mails can feature a corporate logo picked easily from the corporate website or say ‘Sent by a mobile device’ to justify the lack of a company signature or the rather ‘unusual’ writing style.
The content of the e-mail can vary (an unexpected deficit in a subsidiary, an acquisition, a blitz take-over, a fiscal control, etc.) but there is always an explicit demand to wire money quickly and discreetly. The mentioned bank account number is often foreign or one in a tax haven which firmly conceals the identity of account holders.
The requests are usually marked “urgent” and are characterized by a high level of confidentiality aiming to persuade employees unknowing they are about to grant unauthorized access to corporate money.
To top it off, these attacks often take place on a Friday or the day before a long weekend in order to decrease the alarm time. Recovery of wired money is impossible, the money disappears right away.
This con is used both for small businesses and large organizations, but it can be stated that the higher the amount of intermediate levels, the higher the vulnerability as the mutual contacts become less personal. In fact, the scam is based on the hope that the distance between the finance employee and the CEO is so large that the integrity of the mail is not checked and the payment will be performed without a problem. After all, who likes to disappoint the big boss, right? At EASI, that distance is no way too far, on the contrary!
Red flags
A couple of warnings should help you to identify something might be wrong:
- Unusual transactions in terms of amount, reason, circumstances, … especially if it’s not related to your job responsibilities
- A secret/stealth character, the use of a secret code, the use of private e-mail address or cell phone, etc.
- You don’t know the sender personally and they were not vouched for by someone you trust
- The received e-mail was sent at an unusual time (instead of during regular business hours) or to an unusual, seemingly random mix of people
- An urgent need of cash
- Unusual pressure to obtain sensitive information or make a payment from a high-level executive
- Transactions to foreign bank accounts
- Transfer of cash on a Friday or the day before a public holiday (to remain under the radar of critical bank employees)
- Changements in payment information of regular suppliers
- E-mails with an embedded hyperlink or attachment from someone you don’t usually communicate with
Overall, follow your intuition. You should not have an uncomfortable gut feeling about the sender’s request. Learn which countermeasures should help to protect against this scam in my second blogpost.
