Having been in the computer security field for over 32 years, never in my career have I heard more complaints about big money lost due to business email compromise (BEC) phishing scams than this year. A BEC phish is a malicious email which attempts to get the receiver to send or do something of value against their own organisation’s interests by purporting to be from a boss, co-worker, or vendor claiming to have an existing working relationship.
A multitude of businesses have lost hundreds of thousands to millions of dollars, and it’s been going on for years. Google and Facebook lost $100M, an Australian aerospace parts maker lost $47M, and California network equipment maker, Ubiquiti lost $46.7M. Businesses, cities, hospitals, along with tens of thousands of normal businesses have lost significant parts of their income due to BEC phishing scams.
Every governmental regulator body tracking BEC scams is reporting not only an increasing number of BEC attempts and fraudulent successes, but also growing rates of attack. In 2018, the rate of BEC scams doubled from the previous year, with the United States’ Federal Bureau of Investigation stating that BEC scams have stolen over $12B since 2005. In the UK, Lloyds Bank reported that BEC scams have risen over 58 per cent in the last year. An alarming 53 per cent of BEC victims reported that scammers had impersonated their bosses and 52 per cent reported receiving emails from suppliers that had been impersonated.
Signs of a BEC
There are many signs that an incoming email request may be a BEC. All the normal phishing “red flags” apply. For instance, if the email’s display “From” and “Reply To” email addresses are different (see the figure below), it’s good to be very cautious.
If the email is unexpected, has a strange, unexpected subject, or contains unusual grammar or typos for the sender, it should also be considered suspicious. But BEC scam emails have attributes which are particular to BEC scams. These include:
Fake look-alike email addresses
BEC emails often originate from a fake email address which is created to look like it could be the legitimate sender’s personal email address, or it can come from real sender’s email account that has been previously compromise by an attacker. In most cases, the originating email address is one which appears as if it could be from the legitimate sender, but is from one of the most popular public, free email services, such as Gmail, Yahoo, or Outlook.com.
In the example BEC excerpt figure below, the email was created by someone who created two fake Gmail email accounts in the name of KnowBe4’s CEO, Stu Sjouwerman (i.e. email@example.com and firstname.lastname@example.org). Stu has a personal email account, but it isn’t one of those email account names.
It’s really quite easy for get a fake, look-alike email address. All the scammer needs to do is go to any popular public email provider and create a new account, then input all the various combinations of the originator victim’s real name. Oftentimes, using the full name within the email address will readily work because “real” people create and use email addresses shorter than their real full name to save typing and time. The scammers are hoping that employees will automatically assume the sender accidentally sent the email from a personal email account or did it on purpose, so they don’t question its use.
BECs almost always include one or more “stressor events” to help push the receiver past any little concerns they may have. A stressor event is anything included description which is intended to make the receiver’s emotions override their normal sceptical attitude. Common stressors include text similar to the following:
- “I need you to do this ASAP! There is a huge business deal depending on this.”
- “If this bill is not paid immediately it will be turned over to collections!”
- “I need the gift cards by the time my flight sets down!”
- “Don’t let me down, this is what I pay you for.”
- “If we do not get the W-2 list today payroll will be late!”
- “If you have not made your escrow payment at least 10 days before the closing meeting, you will not be able to close on your house.”
You get it. The sender will say something to emotionally stress the receiver.
Some BEC emails carry “sweeteners” which promise a reward if the receiver follows the instructions. For example, the receiver can keep one of the requested gift cards for themselves or the company will soon celebrate a big deal closing because of the receiver’s help. The combination of a stressor event followed by a sweetener seems to be the key to success for many BEC scam emails.
Out of normal communications
Another common BEC attribute is that the sender will always claim that they cannot use normal communications for some reason. Either their normal email account is down, they are getting ready to get on an airplane, or their cell phone is acting up. The scammer’s idea is to get all communication between themselves and the victim to the newly trusted email account. If the scammer knows the normal approval process, the email might even include a warning not to let the approval person know, with an example text similar to this: “Don’t contact accounting about this request as one of the gift cards is being given to them tomorrow as a surprise.”
You would think that every person receiving an email with these common traits would be overly suspicious and never respond to them or carry out the action. You would be wrong to the tune of over $12B and counting. Humans are naturally helpful and want to avoid the promised negative outcomes for hesitating to do something now.
Common BEC Scams
Here are some common types of BEC scams:
Online Gift Cards
Many BEC scams encourage the receiver to get thousands of dollars in online gift cards (e.g. Amazon, Green Dot, etc.) and to forward the serial numbers and activation codes to the sender after they are purchased. Be suspicious anytime a boss asks you to purchase gift cards when they haven’t talked to you in person about it before.
Many of the biggest BEC scams have involved elaborate fraud invoices. Most people have received fake invoices requesting payment for things like new computers and printer ink arriving out of nowhere. But BEC scammers are becoming more brazen. For example, the Google and Facebook BEC scammer learned the amount that companies Google and Facebook routinely paid for computer equipment and created new (legal) companies with very similar sounding names and with real bank accounts. That way, when the scammer got paid by corporate check, he could cash them in his new company’s bank accounts, wait for them to clear, and then pocket the money using a withdraw. He got away with the scam for years.
Around tax time, BEC scammers love requesting confidential information which will allow them to file fraudulent tax returns. In the United States, W2 scammers will pose as Human Resources or Payroll departments and ask employees for their W2 tax information so they can be sent their W2 for tax preparation. Or they will pose as an external corporate payroll entity and ask a company’s human resources for all employee “updated” W2 information, so they can get all employees’ tax information at once.
Perhaps one of the most common types of BEC scams is one where the sender tries to trick the receiver into wiring money electronically using information needed to wire money. The sender usually claims that an existing invoice must be immediately paid or sends “updated instructions” from the email account of someone the victim already does business with.
Mortgage fraud is a subset of wiring transfer BEC scams. With this type of fraud, the attacker breaks into the computer or email account of someone involved in the mortgage industry, often a bank loan officer, mortgage agent, or escrow agent. They will then sift through the officer’s current case load and figure out the best opportunities of attack. Then they will send out a forged email to the person or representative of the entity attempting to get a mortgage telling them that the down payment for the mortgage loan must be sent to “escrow”, so they can get their mortgage on the property they are wishing to acquire.
The email will come from the person the victim was expecting it to come from and will contain all the real details the victim was expecting, except that the money wiring transfer instructions are fraudulent. The victim ends up sending money to the scammer, which they often never get back. The victim is out of the money, plus the property they were hoping to acquire - unless they just happen to have a second escrow amount available to them and ready to spend - and all the other financial people that were inline hoping to make money off of the transaction when it closed are out of their monies as well. It’s a dastardly crime, gaining in popularity, and hard to stop.
Although these are common representative types of BEC scams, there are hundreds of variations on the meme, each of which attempts to trick victims into committing an act against their own interests and their organisation’s interests.
Defending Against BEC Scams
This is not to say that BEC scams cannot be successfully fought within organisations. Education is key. Start with making sure that the security awareness programme covers BEC scams, especially if the business is particularly at risk from BEC crimes because its processes a lot of invoices or the boss frequently works remotely. Potential victims must know about BEC scams, what they look like, how to spot them, and what to do once they suspect someone is trying to BEC scam them.
Another important defence is to make official organisational policy changes which make it harder for BEC scams to be successful. Make a policy that says employees can never accept a request for money or information from a co-worker if it doesn’t come from their legitimate organisational account. Any requests from a co-worker coming from a non-organisational account must be ignored, discussed with the purported user, and sent to IT security if fraudulently sent.
Another important policy change is to make it a requirement that all unexpected requests for money or information be verbally confirmed by the purported sender before it can be accomplished. If the sender can’t be contacted outside of email and the request verified, then the transaction should not be conducted. Even expected requests for money or information should be verified verbally if the request meets a minimum value threshold (say £500 and above).
The only way to help mitigate the risk of BEC scams is to educate end-users about their existence, give lots of examples, test them with simulated phishing campaigns, and create policy that makes it more difficult for BEC scammers to be effective.
Now go out there and put down some BEC scams!
Roger A. Grimes, Data-Driven Defense Evangelist, KnowBe4