How to prevent business email compromise attacks

[harlan4096]

Business email compromise (BEC) scams are low-tech attacks that use social engineering techniques to exploit natural human tendencies.

While they may not get as much attention from the press as high-profile ransomware attacks, BEC scams are considered one of the biggest threats facing companies today. Between June 2016 and July 2019, there were 32,367 successful BEC scams in the U.S., which cost U.S. businesses more than $3.5 billion, according to figures from the FBI.

Fortunately, there are some very effective and easy-to-implement strategies for stopping BEC attacks. In this post, we’ll show you how you can combine staff training, process implementation and authentication technology to protect your organization from BEC attacks.

What is business email compromise?

A BEC attack is a sophisticated scam that targets businesses and individuals who perform wire transfer payments.

Unlike regular email scams that are distributed to thousands or millions of users, BEC attacks are carefully planned and highly targeted.

A typical BEC scam involves an attacker gaining access to the email account of a C-suite executive via a phishing campaign, malware infection, password leak or brute force attack. The attacker monitors the compromised email account to learn the victim’s communication habits and gain a thorough understanding of the company’s routine processes and procedures.

Once the attacker has carried out their surveillance, they send an urgently worded email to a target, instructing the recipient to carry out an important request.

What makes the scam so convincing is the fact that the email is sent through legitimate communication channels and appears to be from a familiar and trusted business contact. The target often feels inclined to quickly process the request without question when the email appears to be sent from the target’s boss or boss’ boss.

Monetary gain is usually the primary goal of a BEC scam. Victims are deceived into believing they’re performing a regular transaction, when in reality they are transferring large sums of money directly into the bank account of the scammers.

In other cases, attackers may use BEC scams to extract employees’ personally identifiable information, which can be used in future attacks or sold on the black market.

Business email compromise vs spear phishing and whaling

BEC scams, spear phishing and whaling share a number of similarities. All three are email scams that use social engineering to extract money or sensitive information from a specific target.

However, the way they accomplish this goal is slightly different. Whereas spear-phishing and whaling attacks involve directly attacking a target with phishing emails, BEC scams rely on infiltrating an email account related to the target in order to impersonate a known business contact and gain the trust of the target.

Worst business email compromise cases of 2019

1. Tecnimont SpA

In January, Tecnimont SpA, an international industrial group headquartered in Milan, revealed it had been caught up in one of the largest BEC scams in history. While impersonating CEO Pierroberto Folgiero, attackers sent a series of emails to the head of Tecnimont Pvt Ltd, the Indian subsidiary of Tecnimont SpA, to organize conference calls about a secret business venture in China.

During the bogus calls, the fraudsters assumed the roles of various stakeholders, including Folgiero, a Swiss lawyer and other senior executives. The attackers eventually convinced the head of Tecnimont Pvt Ltd to transfer $18.6 million from India to banks in Hong Kong. The money was withdrawn almost instantly.

2. Cabarrus County

In July, Cabarrus County, North Carolina, admitted it had been scammed out of more than $2.5 million.

In November 2018, the county’s finance department received emails sent from what appeared to be Branch and Associates, a contracting company that was building the new West Cabarrus High School.

The emails included a request to update Branch and Associates’ bank account information. Staff were supplied with all the seemingly valid documentation and approvals required, and processed the request accordingly. The next vendor payments made by the school went straight into the scammers’ account and were quickly funneled through a string of other accounts.

The bank was able to freeze and recover $776,518 of the $2,504,601 payment, leaving the county to pay the remaining balance of more than $1.7 million to the real Branch and Associates.
...

Continue Reading