Business Email Compromise (BEC), a type of phishing fraud, consistently tops the FBIs list of most financially damaging online crimes. Businesses were pummeled by BEC fraud in 2021 with over 70% reporting a BEC attack. The 2021 FBI’s Internet Crime Complaint Center (IC3) report documented 19,954 Business Email Compromise/ Email Account Compromise (EAC) complaints with adjusted losses of nearly $2.4 billion. In other words, BEC fraud accounted for nearly a third of the total $6.9 billion cyber losses in 2021.
Photo by Elisa Ventur on Unsplash
Common BEC Examples and a New Virtual BEC Scheme
In Business Email Compromise fraud, attackers send email messages that appear to come from a known source making legitimate requests. To do this they may use either compromised or spoofed email accounts. Two common examples are:
-
- A company CEO emails their assistant to purchase gift cards to send out as employee rewards.
- A vendor your company does business with emails an invoice with updated banking information.
Restrictions on in-person meetings because of the COVID-19 pandemic led to the emergence of newer BEC/EAC schemes. The IC3 observed schemes that exploited the reliance on virtual meetings. How did these newer BEC/EAC schemes work? According to an IC3 public service announcement, the attacker would compromise an employer’s or financial director’s email, such as a CEO or CFO. The attacker would then use the compromised email account to request employees to participate in virtual meetings. The attacker would insert a still picture of the CEO with no audio, or a “deep fake” audio. The fraudsters, acting as business executives, would then claim their audio/video was not working properly. During the virtual meeting, the attacker would directly instruct employees to initiate wire transfers or use the executive’s compromised email to provide wiring instructions.
Business Email Compromise…In the News
BEC Group “Crimson Kingsnake”
“Crimson Kingsnake,” a BEC group is linked to 92 malicious domains of 19 law firms and debt collection agencies across the US, UK and Australia. According to a write-up by cloud email security platform, Abnormal Security, the BEC group sent emails impersonating real attorneys, real law firms and debt-recovery services. Their goal? To deceive accounting professionals into paying fake invoices supposedly provided to the recipient firm.
Screenshot from Abnormal Security
Once the target victim responds, the BEC attackers reply with payment account details in a PDF invoice. The invoice includes a bill number, bank account details and the company’s VAT ID. If the target victim resists, the BEC attackers will then impersonate an executive at the targeted company, putting further pressure on the target victim. They’ve been observed to use a new email with a spoofed display name. By means of this phony executive persona, the attackers authorize the employee to proceed with the payment.
Screenshot from Abnormal Security – Example of a Crimson Kingsnake Email Impersonating a Company Executive
City of Laredo
KGNS reports that the City of Laredo was the victim of BEC fraud that led to the loss of over $1,000,000 in taxpayer dollars. How did it happen? During the investigation, KGNS discovered that an employee with the city’s finance department paid out the money to an email scammer posing as a city vendor.
City of Lexington
A BEC scheme led City of Lexington employees to send $4,000,000 to scammers as reported by LEX18 News. The city says the criminal operation “involved multiple emails and a complicated scheme” and that “criminal actors put themselves into communication between the City and Community Action Council.” What happened? Employees received an email from a sender claiming to be the Community Action Council that gave new bank information. The City of Lexington then, “not realizing the bank information was bogus, sent three wire transfers totaling about $4,000,000 to the fake bank address.”
Test, Educate, and Protect with the Social-Engineer Managed Phishing Service
BEC fraud targets enterprises of all sizes in all industries. The phishing lures used in BEC fraud are often sophisticated, making it difficult for employees to detect. It’s a social engineering scheme that targeted over 70% of businesses in 2021. What can you do to protect your company’s assets and mitigate the risk of BEC fraud? Educating employees about BEC fraud must be a priority for security awareness training campaigns and programs. The social engineering experts at Social-Engineer, LLC can help. We offer a Managed Phishing Service that is ready built to enhance your current security awareness staff. Our fully managed phishing service measures and tracks how your employees respond to email phishing attacks and it identifies at-risk user groups. We use customized software to build and execute your phishing program, while providing expert analysis.
