Understanding the Business Email Compromise (BEC) Threat

By Adrien Genre, Chief Operating Officer, VadeSecure

adrienBusiness Email Compromise (BEC) is a serious matter. This email-borne hacking technique presents a radically more sophisticated version of the age-old “Nigerian Prince” scam. BEC targets businesses that regularly perform wire transfer payments to foreign entities. According to the FBI, the attacker uses a phishing approach, “Compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.”

BEC is on the rise. Attacks have increased 1,300% since January 2015, with complaints coming to law enforcement in 79 countries and all 50 US states. According to CNBC, law enforcement agencies have dealt with over 17,000 victims who have collectively lost more than $2.3 billion to BEC attacks. The majority of victims are in the US. Most of the fund transfers are laundered through China.

Mattel’s $3 Million BEC Loss

BEC victims include well-known names such as Seagate and Snapchat. Another household name that suffered a successful BEC attack is Mattel, the maker of Barbie and Hot Wheels. SC Magazine reported that Mattel lost $3 million in 2015 in what they refer to as a “CEO fraud phishing scam,” another term for Business Email Compromise. As is typical of a BEC attack, a Mattel finance executive wired $3 million to a bank in Wenzhou, China, thinking he was paying a foreign supplier. One can imagine how many fund transfers Mattel makes to banks in China. So, even with accounting controls in place, one can see how it would be possible to persuade a financial staffer at a large company to wire funds abroad. Luckily, Mattel was able to get its money back with the help of law enforcement.

In attacks like the one at Mattel, the attacker impersonates a senior executive. Here’s how it might happen: Let’s say you work at Acme your CEO is named John Doe. You get an urgent email from JohnD@acme.co demanding that you drop everything and pay for an urgent order from China. He tells you to check with accounting (providing a link to accounting@acme.co in his message) and explains that they will provide the wire information. Spurred into action, you fire off an email to accounting without noticing that you’re writing to accounting@acme.co, not accounting@acme.com (the correct domain suffix). “Accounting” gets right back to you, telling you to wire the money to Wenzhou Industries, a supplier you are familiar with, at www.vvenzhouindustries.com. Again, you’re too busy to notice that the URL has replaced the “W” in Wenzhou with two Vs. After all, you want to please your CEO.

How does the attacker know about your suppliers? How does he or she know your CEO’s name and email address? They use social engineering and research – especially of social media – to craft credible emails that could be from coworkers and suppliers.

Business Email Compromise: the Pain of Disclosure

When Ubiquiti Networks (NASDAQ: UBNT) lost almost $46.7 million to cyber thieves, the publicly traded company was compelled to disclose the matter in its 8K report to the SEC. Their filing stated, “On June 5, 2015, the Company determined that it had been the victim of a criminal fraud. The incident involved employee impersonation and fraudulent requests from an outside entity targeting the Company’s finance department. This fraud resulted in transfers of funds aggregating $46.7 million held by a Company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties.” Though Ubiquiti has been able to recover $8 million, this incident and the disclosure was embarrassing, especially for a company in the network field.

Insurance Coverage for Business Email Compromise

In a nasty surprise for companies that fall prey to BEC, it turns out that insurance policies may not cover losses. Ameriforge Group, a Houston-based manufacturer, has had to take Chubb Group to court because the insurer denied a BEC-related loss claim. Ameriforge was scammed out of $480,000 by a phishing attack that involved impersonation of the company’s CEO. Chubb had ruled that their cybersecurity policy did not cover BEC.

Pivotal Software: BEC and W-2 Phishing

The Business Email Compromise doesn’t always involve money. Thieves can also steal sensitive or valuable data, as Pivotal Software learned. SC Magazine revealed that Pivotal informed the California Department of Justice of a breach of employee personal and tax data through a W-2 phishing scam. In this attack, a worker at Pivotal had been tricked by an email that appeared to have come from the company’s CEO. The email requested W-2 information. The worker proceeded to send name, address, social security numbers and so forth, to an unauthorized third party.

How Does Spear Phishing Enable Business Email Compromise?

Phishing is a great attack vector for BEC. Industry research holds that 30% of phishing emails are opened by campaign targets. And, 12% click on the attachments inside those phishing attacks. Given the scale of the BEC threat, it seems that phishing, and its more powerful variant, spear phishing, present perhaps this era’s most serious cybersecurity threat.

With spear phishing, the attacker personalizes the attack by impersonating someone known to the target. The challenge in defending against these attacks stems from the fact that most email filters are not able to detect well-executed phishing attacks. Spam filters are configured to look for known malware signatures and suspicious key phrases like, “You’ve WON a free cruise.” A generic message like, “please process this wire transfer request” could easily get past the filter.

New tools are required to protect against business email compromise carried out by phishing or spear phishing. Vade Secure’s solution offers a way to prevent business email compromise attacks. The solution utilizes heuristic analysis to spot spear phishing emails. It’s been “trained” to detect suspicious emails based on an analysis of hundreds of millions of emails over a ten-year period. Vade Secure can protect corporate IT assets from spear phishing. It does this by means of numerous rules that use artificial intelligence to screen inbound messages. Proprietary processes spot one-off spear phishing attacks by matching the style and technical indicators of the claimed sender of any given email with known information about the actual sender.

Give us a call at 415-745-3630, if you want to discuss how you can quickly add anti-phishing measures to your current email setup.