Earlier this week, I heard an interesting interview on NPR’s Morning Edition with a recent victim of Business Email Compromise (BEC), a growing threat that uses social engineering to exploit human nature in order to divert massive amounts of money to cybercriminals.
Recent Business Email Compromise Trends show Evolving Tactics
First, let's start with a little background information. In 2013, when Business Email Compromise scams were gaining popularity, attackers typically compromised a legitimate email account belonging to the company president, CEO or CFO in order to request the transfer of funds to an account controlled by the attacker. As awareness of BEC scams has grown, the tactics used by the scammers to avoid detection have evolved as well. These newer deception methods use compromised lawyer email accounts, requests for W-2 records, and the targeting of real estate transactions. Another recent trend involves spoofing a company executive or other position of authority and requesting the targeted victim purchase gift cards for personal or business reasons.
Over the past couple of years, BEC tactics have further evolved into a new trend known as Vendor Email Compromise in which cybercriminals target vendors or suppliers with phishing emails and then send realistic-looking invoices to their customers in order to steal money.
BEC scams have been wildly successful, with $1.2 billion in losses reported in 2018 by the FBI’s Internet Crime Complaint Center (nearly triple 2016 losses). Unfortunately, these are only REPORTED losses. Many incidents go unreported because companies don’t want to risk bad publicity.
While recent efforts by law enforcement agencies have led to many arrests, Michael J. Driscoll, FBI special agent in charge of the Criminal Division for the bureau's New York Field Office, has named Business Email Compromise the #1 priority – replacing ransomware as the biggest threat facing businesses.
And that brings me to the interview I heard on NPR.
This week on Morning Edition, Martin Kaste interviewed “Mark” (not his real name), the owner of a Seattle-based real estate company and one of the earliest victims of Business Email Compromise. Mark discussed how the attack began and how it evolved.
It started with a scammer intercepting email traffic between Mark and a business partner. For a period of time, the scammer monitored this email traffic and studied their speech, writing patterns and message timing (see Step 1 here). When Mark and his partner discussed a $50,000 disbursement owed to the partner, the scammers took action and inserted their own wire transfer instructions (see Step 3 here).
Mark was convinced the request was legitimate, and transferred the $50,000 (Step 4) to the scammer’s bank account. His partner never received the money. By the time they alerted the bank, the money had already been transferred to an overseas account.
Mark said, “We're somewhat experienced businesspeople. The idea that we've been duped makes you feel pretty stupid,” and as I mentioned, this “shame” element, along with fear of a damaged business reputation, is why many of these incidents often go unreported.
Kaste points out, “The banks weren't much help, either. Since he was the one who gave the scammers the account number, they saw this as his responsibility. He has learned one thing - never again trust wiring instructions that are sent by email.”
And that sound advice is among other tips you’ll find in my earlier post on avoiding Business Email Compromise scams.