Hey! I know I’ve never talked to you before – but can you send some money – QUICK!
Business Email Compromise (BEC), also known as CEO Fraud, is a type of phishing email designed to impersonate an executive. In a BEC campaign, the “executive” urgently instructs an employee to wire money, sometimes lots of money, to a bank account. The FBI reports that BEC scams hit businesses to the tune of $12.5 billion annually.
What makes BEC campaigns different?
In a BEC attack, the weapon of choice is simple words. Instead of tricking people into clicking a malicious link or attachment, a BEC attack tries to lure recipients into taking action. The threat actor will spend time researching the organization, identifying execs whose high-priority messages would make employees respond ASAP.
Though this type of threat is fairly new in the phishing landscape, it is very successful. Actors have been able to make off with millions of dollars, using networks of mules to move the money back to the mothership.
In recent months, there has been a shift in the type of currency requested—gift cards. They’re easy to obtain and, if requested in smaller amounts, can go unnoticed but still add up. Researchers have also been doing their work, hunting these criminal groups with much success. Last summer the FBI announced the arrest of 74 fraudsters, all related to BEC. When an organization realizes it’s been hit with a BEC attack, it can reach out to the FBI, which will work with financial institutions to block the transfer of funds.
What can you do? A few tips.
I remember a few years back when this threat started to surface. I couldn’t help but think back to my days in finance and IT compliance, with a focus on Sarbanes-Oxley, and think about the controls breakdown BEC triggers. Here are some ways to KEEP control.
First and foremost, train your employees to be on the lookout for these types of messages. Secondly, implement controls within your payment process to require a secondary signature for release of funds. When I worked in the treasury department for a retail chain, there were many days I would have to walk to the Controller’s or CFO’s office to get a REAL signature on a check greater than $50,000 or a request for a direct wire. Also, look to the gateway controls and implement DMARC /DKIM as discussed in our previous blog post.
There is another control that is starting to become a best practice—tagging external messages in the subject line or message body and letting your employees know the message originated outside the organization. This tag is helpful in spotting BEC messages. Many times, executives or high value targets are reading their messages on mobile devices. The mail client on these devices doesn’t display the fully qualified email address, making it difficult to assess the validity of the message sender.
A BEC sample:
The importance of tagging for viewing on a mobile device – mail client vs mobile: