Lately many cyber-security online sources warned enterprises of the business email compromise scheme (also known as the BEC scam), and they do this for a good reason: this fraud method has spiked over the last few months.
BEC attacks are a particular type of spear phishing, and four organizations confirmed phishing attacks against its employees’ data in the last weeks of February, according to CSO Online.
What makes the BEC scam stand out?
- The financial data target
Cyber thieves use social engineering and/or other methods of gaining access to relevant accounts in what enterprise financial operations are concerned, pushing for a middle position in-between transaction operators – their purpose is hijacking transactions towards their accounts;
- Identity theft is part of the scheme
This technique may be used prior to the modified invoice phase in order to gain access to the strategic employee account needed; but the more crucial instance of identity theft occurs when the fraudster mimics the digital presence of a superior employee (or of a vendor/other trusted interlocutor) and determines the financial responsible to submit a payment order that sends the money to the malicious account; the identity theft may be genuine or it may just be an appearance (spoofing the credentials of the hierarchical superior or of business partners); the BEC scam was also dubbed Man-in-the-Email scam, a formula that mimics the Man-in-the-Middle attack’s denomination;
- Social engineering
When approaching one or several employees from the targeted company, the cyber-criminals engage in social engineering techniques to gain access to their computer via infected digital files; yet the most important piece of social engineering in BEC comes only after having infiltrating the internal IT system via one internal account or more; this state of the art social engineering consists in sending a spoofed email appearing to come from someone in a position of authority – and the ultimate authoritative figure in a company would be the CEO; rarely do employees question an email coming from their CEO, since they would actually have to check with the real chief executive officer the email’s authenticity, a thing they might not find the courage (or even not have the clearance to do); sending a personal request email that determines employees to take action because of the authoritative command enclosed is specific to the BEC scheme.
- The latency
The fraudulent actions count on perpetuating the scam without anyone noticing. The malicious emails are crafted to match the language and habits the employees are accustomed to, therefore they do not raise suspicions until it is too late; the FBI issued a warning in 2015 on how BEC scams work – it takes vigilance from the part of the targeted company’s employees and it is extremely important for them to act quickly in order to stop the financial fraud from being completed.
Recommended preventive measures to BEC scam
There are a few policies that prevent such techniques from being successful – and it is recommended for the companies that already employ them to maintain and strengthen their security policy, while the companies that neglected these measure should really consider implementing them:
- The basic anti-malware steps should always be followed: always pay attention that your antivirus is updated and also use anti-malware tools and update their database regularly; train your employees on cyber-security, social engineering and user behavior analytics; you may consider asking your cyber-security responsible to send regular internal updates in order to keep the employees updated and informed;
- Follow a strategy that requires your employees to change their passwords at certain (preferably uneven) intervals; this way an attacker would be unable to count on fixed internal passwords or on their changing patterns;
- Double internal important messages with other messages sent from an alternate email, or on the internal communication system; take this procedure into consideration especially when internal orders materialize into payment orders; for the type 2 BEC scam (where external partners’ messages are spoofed), try and instruct your employees to confirm via telephone or via a second email the authenticity of the original email; it may seem tedious or complicated at times, but it is better to be safe than sorry, especially during malware/phishing outbreak times;
- It is also useful for companies to register and own all company domains that are slightly different from their main domain, in order to avoid these similar domains being used by malicious entities.
BEC scam – figures and evolution
The reported figures between October 2013 and August 2015 are of 8,179 attacked companies in 79 countries, totaling $798,897,959.25 financial loss. Total US victims for the same time: 7,066, with exposed losses of $747,659,840.63 – as listed by the FBI.
These numbers account for a 270 percent increase in successful attacks of this type, compared to the pre-2015 period of time.
The types of BEC scam also became more varied in time, with the latest version listed by the same above-mentioned source as involving an approach made in the name of lawyers or representatives of law firms that claim to be handling confidential or time-sensitive matters, and pressure the targeted employee to take action quickly and secretly, usually at the end of the work day or just before business of international financial institutions’ closing times.
Considering the consequences of such attacks, the companies are well advised to report any cyber-security events as soon as possible when they notice the ongoing or consumed attack symptoms. The financial losses may be retrieved, or partially recovered due to an enhanced reporting speed, and the liability may distribute differently to the case when the company leaves the attack unreported and may be forced to sustain all the losses. When covering the losses depends on the insurance company, fulfilling all due reporting in time is also important, otherwise unpleasant situations may occur.
The first thing such cyber-attacks put to test is the internal system of a company – and by this, we do not mean only its IT system. It also tests the way internal policies are conceived and implemented. The way employees act in respecting their tasks and in paying attention to what goes on in their area of work ultimately influences this types of attacks’ rate of success. It is extremely useful in cyber-protection to have vigilant employees that question unusual activities or sudden detail changes, notify and discuss with their due superiors the abnormalities, as well as having responsive, organized team leaders, managers and executives that pay attention to such alerts.
Therefore, do not be afraid to run a tight ship in what cyber-security and digital work habits are concerned – an attitude that will imprint on all levels of your company. Cleverly balance a strong rigor with transparency and flexibility so the employees would learn to communicate and signal any inadvertence to their superiors, before it becomes a weak entry point in the company’s system.
