According to security vendor Trend Micro losses caused by Business Email Compromise (BEC) schemes cost companies around the world in excess of $2.3 billion over the last two years. The value of the scams is increasing as cybercriminals hone their attacks and go after bigger targets.
It is easy to think of this as just a financial crime with no victims other than large companies but that is not the case. A few weeks ago the CEO of an Austrian aerospace manufacturer was fired after a scam cost the company €50 million. He wasn’t the only employee to be fired but his firing has sent a message to the board room of companies that nobody is immune when these things happen.
Three variations on a theme
The scams are often simple in their execution but rely on users not carrying out the proper checks. There are three versions of the scam according to Trend Micro:
Bogus Invoice Scheme: This relies on getting an employee to transfer money to a fake account. The cybercriminal tells the employee that the company is changing its bank accounts or due to a local investigation, its bank accounts are temporarily frozen. The employee is persuaded to transfer the money to a new account the cybercriminal has created. Once that has happened the cybercriminal disappears with the cash. This scam is sometimes run with the help of someone inside the company that issued the invoice and sometimes through the compromising of a single account.
CEO Fraud: This relies on people not being prepared to question an email from their CEO. The CEO email account is hijacked and the employee is sent an email demanding that an invoice is paid or money transferred urgently to an account. It often includes statements saying that the CEO is going into a meeting and must have this paid or that this is to prevent a court action which is imminent. Because the email appears to come from the CEO or a senior member of the company with the authority to request the payment, staff often just process it without questioning it.
Account Compromise: This is a common fraud and one that is often found in the inbox of a lot of people. An email account is compromised and everyone on the employee’s contact list is sent an invoice with an urgent request for payment. The same technique is used by cybercriminals looking to install malware on computers. In the latter case the goal is to get the invoice opened while the former relies on some people just paying the invoice without questioning it.
CEO’s the most targeted
The reason this is often referred to as CEO fraud is because around 31% of the emails come from compromised CEO accounts followed by those with the job title President (17%) and Managing Director (15%). This is a major cause for concern because while the focus here has been on fraud, there is potentially a lot of other ways that the email from those at the top of a business can be used to compromise the company.
For example it could be used to order goods to be dispatched or to place an order with a supplier. It could also be used to get highly confidential commercial data sent to a third party by naming them as an auditor or accountant.
Off-the-shelf toolkits being used
There are no special tools being used here. All of the tools that Trend Micro has discovered are off-the-shelf tools available to any hacker or cybercriminal. The most common tools are backdoors into computer systems for which cybercriminals can end up paying anywhere up to $40 per target. Given the return from using the tool this amount is so low as to be laughable.
There are other tools that can be used and these are equally cheap. What isn’t listed is the purchase of stolen credentials. These can be more expensive but are likely to be more current and save the cybercriminal a lot of time and effort.
Defence = education
There are a number of routes to reduce the risk of being caught out here. The most obvious is to always question these emails when they arrive. Even if they turn out to be genuine, the willingness to question them reduces the chance of a successful attack.
Using multi-stage payment processes where payments have to be signed off by more than one person is also important. This provides two people with the opportunity to question the initial email and further reduces risk.
Where there has been a change to where the payments are to be made, contact the new bank to confirm the account is valid. Also ask for confirmation from other named directors of the company before acting on the email.
Institute a process by which any payment request that seems suspicious gets reported to the police. A lot of organisations are loathe to involve the police in case it makes them look foolish. However, if a payment request cannot be easily validated reporting it to the police will not only help to start an investigation but is also likely to be required by cyber insurance policies.
This is an insidious set of fraud schemes and scams that prey on those afraid to question orders from higher up in an organisation. With proper processes in place and employees encouraged to question things that seem abnormal it is possible to defeat these attacks. The alternative is not just the risk of being fired but financial ruin for the company.