Business Email Compromise (BEC), also known as “free money scams”, is a constant threat to organizations, their employees, and their users. Although little sophistication is needed to carry out a successful BEC, these types of attacks continue to occur more frequently and inflict greater damage than ever before. Unfortunately, this means that many of us have either observed and/or been directly targeted by BEC at one time or another. Typically, these attacks work as follows:
1. The attacker spoofs an email so it appears as if sent from a high-level executive to an employee in an organization,
2. The spoofed email orders the employee to wire a large sum of money to a foreign account,
3. The employee complies and wires money to the account,
4. The money is lost.
In fact, after one attacker’s recent and amateurish attempt to scam Flashpoint’s CEO in this very manner, the incident motivated me to take a closer look at who is really to blame for the successful attacks. Many feel that the banks should be held accountable for allowing the attackers’ mule accounts to be opened and the illicit funds transferred and laundered. Others place blame on the organization because, after all, it’s their money and their employee who wired that money. While some may argue that it’s best to make the employee pay, the employee will likely claim that he or she was simply following orders.
Despite the common, persistent, and often-costly nature of BEC, it seems that few of us can agree on exactly who is at fault when an organization loses money — not to mention time and resources. Although working to identify the culpable parties in the aftermath of an attack can raise awareness and help prevent the same fate from recurring in the future, many organizations still choose not to do so. Even worse, I’ve observed that some organizations pretend that BEC is not a problem all — but rather, just “the cost of doing business”. Unfortunately, ignoring a problem will not make it go away. Indeed, the only result to emerge from this type of response is an elephant in the room.
So why do some organizations not recognize BEC as the serious threat it has long proven itself to be? This may be especially surprising in today’s day and age, as organizations are becoming more invested in bolstering cybersecurity, cybersecurity teams are growing more skilled at addressing complex cyber threats, and complex cyber threats are developing faster and appearing more frequently than ever before. What if I said that all of this hype and rush to invest in cybersecurity was actually part of the problem? Indeed, as this culture of all things cyber continues to be driven and even sensationalized by attention-seeking cybercriminals and media-headline-worthy cyber attacks, it can be easy to lose sight of unsophisticated, familiar threats like BEC. When a new and dangerous strain of malware is what’s exciting journalists and causing executives to expand their budgets and grow their cybersecurity teams, threats like BEC suddenly don’t appear so scary or even significant after all.
In short, BEC is often overlooked because, well, it’s not malware. To further illustrate my point, let’s take a look at the numbers. First, Evgeniy Bogachev, a cybercriminal currently wanted for his involvement with GameOver Zeus (GOZ) malware, caused a whopping $100 million dollars in financial losses during the two years he was involved with the project. Successful BEC attacks, on the other hand, have racked up $3.1 billion dollars over 3 years, which is over 20 times the financial damage caused by Bogachev. And yet, we aren’t talking about this because no malware or advanced cybercrime tactics are involved.
On the malware front, however, ransomware is shaping up to be a billion dollar market that security teams and executives around the world are paying close attention to. Meanwhile, BEC is already a billion dollar market — it just doesn’t receive the same level of attention. Even worse, there are numerous integral yet understated components of BEC that many organizations do not see. For instance, these attackers are also using romance, lottery, employment, and rental scams to exploit their victims. Much lesser-known is the fact that W2 scams are part of BEC as well — the IRS issues warnings every year about more people being affected. Once the W2 data is stolen, attackers usually sell it it on the Deep & Dark Web at anywhere from $4-20 dollars per W2. With a single return allowing an attacker to extract thousands of dollars from the IRS — not to mention the serious damage to the victim organization and stolen identities for employees — everyone is affected.
As I mentioned, Flashpoint’s CEO was recently the target of a BEC attack. The attacker’s spoofed email from and to our CEO told our CEO that he needed to make an urgent wire payment to a vendor.
Image 1. Wire transfer request
After initiating contact with the attacker, they wanted Flashpoint to wire $37k to a banking account.
Image 2. Wire request
In another email correspondence, the attackers wanted Flashpoint to wire $96k to a foreign organization based in Shanghai, China.
Image 3. Wire request for $96k
After we told the attackers that Flashpoint does not have any vendors in China and that the transactions must be US-based, they were able to provide a new account number for transfer in less than 1 hour.
Image 4: Second wire transfer request for $96k to a U.S. account number
While these attacks may not always be extremely effective, many attackers have shown the ability to quickly adapt and wire money outside of an organization. Unfortunately, organizations fall victim to BEC daily, with an average of $2.8 million dollars stolen every day — which is less than 18 days to what GOZ did in 2 years. BEC is a problem for all of us, and no single individual or organization is solely to blame.
The sooner we acknowledge BEC as the elephant in the room, the sooner we’ll be able to address it, protect ourselves from it, and move along.
If you have witnessed and/or fallen victim to these types of scams, contact IC3 as well as your local FBI field office. Information can be submitted to IC3 here: https://www.ic3.gov/default.aspx