Business Email Compromise (BEC), otherwise known as CEO fraud, is a type of phishing attack where a cybercriminal will impersonate a high-level Executive in order to convince an employee, customer, or vendor to transfer money to a fraudulent account or disclose sensitive information.
By compromising official email accounts, the criminals can monitor online activity and determine who has the credentials to initiate money transfers. In the majority of cases, attackers pretend to be the CEO, CFO or another C-Level Executive, and they typically combine a range of social engineering techniques to manipulate the user into action.
In recent years, there has been a steep increase in the number of Business Email Compromise attacks, and according to the latest email security risk assessment report by email management firm Mimecast, BEC attacks have increased by 80% in the last quarter alone.
Global losses due to Business Email Compromise have exceeded $12.5 billion, and victims can suffer substantial losses which has been evident in a number of recent high-profile attacks.
In March 2018, the French cinema chain Pathé fell victim to a sophisticated Business Email Compromise scam that cost them over 19 million euros.
The audacious heist was pulled off when fraudsters impersonated the CEO and convinced the Managing Director and CFO of the brand’s Dutch office to transfer the funds over a series of five consecutive money transfers.
Despite suspicions being raised, the criminals managed to make their scam seem as convincing as possible by creating emails that were almost identical to the official Pathé domain. The company lost 10% of its total earnings and both Executives were fired from their jobs.
The attack demonstrated the attention to detail that cybercriminals will use to infiltrate a company, and the far-reaching consequences that a BEC attack can have on a business.
How a BEC scam works
Unlike traditional phishing attacks which tend to target a large number of employees, BEC attacks are highly focused and targeted. Criminals will spend a lot of time researching individuals in high level corporate positions before launching an attack.
To make any correspondence seem as convincing as possible, the crooks will trawl company websites, online sources, and social media sites such as LinkedIn to gather as much information as they can about their potential victim.
As soon as they have completed their research, they will use a targeted technique such as Spear Phishing to gain access to corporate systems. Once they have access, the criminals can closely observe how financial transactions are made before launching an attack.
The criminal will then send a fake email from what appears to be the CEO requesting an urgent funds transfer from an employee within the organisation. The high-level targeting helps the email slip through spam filters, and the use of a spoofed email address adds further legitimacy to the request.
Such is the level of detail, that the criminals will often choose to launch their attack when the Senior Executive is away on business and unable to personally verify the request. If the victim has fallen for the scam, any money they’ve transferred will quickly be sent to accounts located overseas which makes it difficult to ever reclaim the stolen money.
Types of Business Email Compromise Scams
CEO Fraud – In this type of attack, cybercriminals will pose as the CEO or another high-level Senior Executive. Once their account has been hacked, and email address spoofed, they will send an email to an employee requesting a transfer of funds to an account they’ve specifically set up. The emails will often be flagged as a matter of urgency to discourage the employee from verifying the request or discussing it with another member of staff.
The Bogus Invoice Scheme – This particular scam is often leveraged against companies that use a lot of overseas suppliers. The business will receive an email from what appears to be one of their current suppliers asking them to change the payment destination. Any payments will then be transferred directly into the fraudsters account.
Account Compromise – This type of attack tends to be more common amongst smaller businesses where any billing is managed directly through email. The cybercriminals will hack an employee’s email account and intercept any emails that contain an invoice. Once they have chosen their target, they will contact the vendor and inform them that there was a problem with their payment and request they resend it through to another fraudulent account they’ve set up.
Lawyer / Attorney Impersonation – In this scam, criminals will impersonate a company’s law firm and request the urgent transfer of funds to deal with a legal dispute or unpaid bill. The employee is told the matter is strictly confidential to reduce the chance of them discussing the request with anyone else. The attacks will often take place at the end of the working week to create extra pressure on the employee to act quickly.
Data theft – This is the only BEC scam that doesn’t request a direct bank transfer. Data theft attacks occur when a cybercriminal compromises a Senior Executive’s email account and requests that sensitive corporate information is sent to them. These types of attacks tend to target HR and Finance departments and are often the precursor for a larger and more damaging cyber-attack.
Warning signs of a BEC attack
- Large funds transfer to a recipient the company has never previously dealt with.
- Transfers initiated near the end of the day /working week.
- Emails that contain urgent language and are secretive in nature.
- Small changes to an email address that mimics a legitimate business address.
- The recipient account has no history of receiving large money transfers in the past.
- The recipient account is a personal account instead of a registered business account.
How to Prevent BEC Attacks
- Security awareness training is one of the most effective tools for fighting BEC attacks. Regular training will ensure that staff can recognise malicious emails, social engineering tactics, identify suspicious requests and follow the correct protocols for dealing with money transfers.
- C-Level Executive training – It’s also vital that C-Level Executives receive role specific training that addresses the unique threats they face on a day to day basis.
- Employees should question and verify all confidential requests, especially those deemed urgent by the CEO or other Senior Executives within the company.
- Minimise the number of employees who have the authority to transfer funds.
- Use multifactor authentication on all email accounts.
- Implement a two-step verification process for all payments which includes a non-email check such as a telephone or verbal authentication.
- Develop written procedures for approval of all financial transactions.
- Send all emails through an encrypted server.
- Do not post sensitive information on company websites or on social media.
- Consider the use of an email banner that notifies employees if an email has come from an external source.
Employees represent the biggest threat to an organisation’s security, so it’s vital they are equipped with the necessary skills to prevent a cyber-attack. MetaLearning Fusion is the next generation of eLearning and it’s been specifically designed to provide the best possible Cyber Security and Privacy training for your staff. Organisations can build bespoke courses for their staff from an extensive library of short eLearning courses. Get in touch for further information on how MetaLearning can be used to transform Cyber Security training within your organisation.