Business Email Compromise Schemes: Most Seek Wire Transfers'CEO Fraud' Social Engineering Attacks Continue to Surge
Business email compromise attacks appear to be too lucrative for the criminally inclined for them to go away anytime soon.
See Also: 2020 State of the Phish Report
Such social engineering scams, also known as CEO fraud, are designed to trick recipients into sending money directly to attackers. Often, they do this by attempting to exploit a company's accounts payable process, perhaps using a psychological lever or two as they unfurl.
"Criminals use business email compromise attacks to obtain access to a business email account and imitate the owner's identity, in order to defraud the company and its employees, customers or partners," says Asaf Cidon, vice president of content security services at Barracuda Networks, which makes technology designed to identify and block BEC attacks, in a blog post. "In most cases, scammers focus efforts on employees with access to company finances or payroll data and other personally identifiable information."
In many cases, attackers pretend to be the CEO - or sometimes the CFO or another c-level executive - and send an email saying they need a wire transfer to be made immediately.
"The sense of urgency, a request for action, or a financial implication used in BEC schemes tricks targets into falling for the trap," security firm Trend Micro says in a blog post.
"For example, an accountant may receive a fraudulent email request for a wire transfer from the company CEO, which includes a spoofed version of the CEO's email address and even the CEO's own email signature," it says. "Accordingly, he or she will be more likely to send the funds, because the email appears very real."
Attackers may do everything from sending fraudulent invoices or links to malicious websites, to taking control of executives' accounts to make their scam emails appear to be legitimate.
US Clocks $2.9 Billion in BEC Losses
Such simple, relatively low-tech tactics may belie the ongoing success story that is business email compromise.
In 2016, Trend Micro reported that the average BEC attack netted $140,000 in illicit profits.
Last month, the FBI's Internet Crime Complaint Center, or IC3, said that based on fraud reports submitted from October 2013 to May 2018, 41,058 total U.S. victims of BEC schemes collectively lost at least $2.9 billion, while global losses were more than four times that amount (see FBI: Global Business Email Compromise Losses Hit $12.5 Billion).
Many law enforcement experts believe that only a small fraction of such crimes ever get reported, meaning that the problem is probably much more severe.
Such attacks appear to be intensifying. IC3 says that globally, from December 2016 to this past May, reports of BEC attacks have increased by 136 percent. IC3 adds that it's received fraud reports from all 50 states and that BEC fraud has also been reported in 150 other countries. In the majority of cases, the FBI says stolen funds get routed to bank accounts in China and Hong Kong.
BEC Attacks: Top Objectives
To review how such attacks typically unfold, Barracuda Networks says it looked at a random sampling of 3,000 recent attacks logged by users of its technology.
Far and away the leading objective of an attack, it found, was to get the victim to initiate a wire transfer. Notably, it found that 60 percent of phishing attacks don't include a link, meaning that in many cases, attackers may simply be trying to trick a victim, rather than infecting their PC.
Such emails, which are often written in plaintext, can be very difficult to spot, "because they are often sent from legitimate email accounts, tailored to each recipient, and do not contain any suspicious links," Barracuda says.
About 12 percent of attacks include a prelude email that's designed to build rapport.
In such cases, the fraudster's next step is typically to try and trick the recipient into making a wire transfer, Barracuda says.
Looking at 50 randomly selected attacks that attempted to impersonate a legitimate user, true to the name of the scam, Barracuda found that 43 percent of the time, attackers also impersonated the CEO.
CEO Fraud: Primary Flavors
Trend Micro says BEC attackers often do their homework before unleashing attack emails. "Hackers don't just craft a catch-all email with common language and hope it dupes their target," it says. "Instead, they take their time to complete sophisticated social engineering. In this way, they are able to use an attack style that will boost their chances of the target opening and responding to the message."
- Supplier swindle: Attackers call, email or fax a business that has a longstanding relationship with a supplier, pretending to be the supplier, and trying to trick the business into wiring funds for outstanding invoices to an attacker-controlled account. "This particular version has also been referred to as 'The Bogus Invoice Scheme,' 'The Supplier Swindle' and 'Invoice Modification Scheme,'" IC3 says. Trend Micro says foreign suppliers are often targeted.
- CEO fraud: Attackers compromise a high-level business executive's email account and use it to impersonate the executive and send money-transfer requests to victims. "In some instances a request for a wire transfer from the compromised account is sent directly to the financial institution with instructions to urgently send funds to bank 'X' for reason 'Y,'" IC3 says. "This particular version has also been referred to as 'CEO Fraud,' 'Business Executive Scam,' 'Masquerading' and 'Financial Industry Wire Frauds.'"
- Account compromise: Attackers hack into a victim's email account and then use it to request invoice payments to multiple vendors listed in their address book. The hacked victim's employer, meanwhile, "may not become aware of the fraudulent requests until they are contacted by their vendors to follow up on the status of their invoice payment," IC3 says.
- Attorney impersonation: "Attackers pretend to be a lawyer or someone from the law firm supposedly in charge of crucial and confidential matters," Trend Micro says. "Normally, such bogus requests are done through email or phone, and during the end of the business day."
- Data theft: Attackers target personally identifiable information - including Social Security numbers - or employees' tax statements, in what's known as W-2 attacks. Such information can be used for filing fake tax returns, among other types of identity theft.
Attackers may target a large number of victims at once. One campaign described by IBM X-Force appeared to harvest massive quantities of business users' credentials and to then use them "to impersonate their rightful owners and ultimately trick employees into diverting fund transfers to bank accounts the attackers control."
IBM said the campaign appeared to be perpetrated by "threat groups of likely Nigerian origin" who were harvesting credentials, then running phishing and social engineering campaigns "designed to steal financial assets."
Step one of the attack involved an attacker sending a phishing email to hundreds of a business user's contacts both inside and outside their employer's company, IBM says.
It notes that attackers typically use "stolen credentials from companies that use single-factor authentication and an email web portal," because they can log into these accounts remotely to send phishing messages, as well as compromise email accounts without having to hack into an organization's corporate network.
"The attackers specifically targeted personnel involved in the organization's accounts payable departments to ensure that the victim had access to the company's bank accounts," IBM said.
If victims clicked the link, they would be redirected to a fraudulent "DocuSign" portal that requested that they enter their credentials to download it. If a victim did so, then they would have sent their credentials to attackers.
Attackers may attempt to do more than just try to trick a victim into making a one-off wire transfer.
"Unfortunately, the BEC cycle doesn't have to end after a fraudulent wire transfer has been made by the victim. Once an account has been compromised, it can be leveraged to support further BEC schemes, sending phishing or other BEC messages to others within the compromised account address book," Trend Micro says.
CEO Fraud: 5 Defenses
Information security experts say there are multiple defenses that all firms - large, medium and small - should have in place to protect themselves against BEC attacks, including:
- Authentication: Protect all email accounts with two-factor authentication, to make it more difficult for attackers to hack into such accounts and use them to trick others either inside or outside the organization.
- Verification: Always make a requested wire transfer follow a prescribed series of steps that includes either an in-person conversation or telephone verification, using only a pre-approved list of telephone numbers for contacts. Never rely on contact information included in an email.
- Questioning: Always assume that an email account that is requesting a wire transfer has been compromised, until proven otherwise. That especially goes for emails that purport to be from the CEO or another senior manager.
- Training: Show users what BEC attacks look like, and regularly test them to ensure that they remain aware.
- Technology: Block known or suspected BEC emails from ever reaching recipients.