Business Email Compromise in Small and Mid-Size Companies
In a cold, fall morning I woke up to start my day. Per usual, it began with a quick check through my email.
Back then I was working for a big company managing a software business, and supporting stakeholders in about 30 different countries. Every morning started with an email check because it was important to respond to the folks relying on me from the other side of the world so they could continue their business with a full days delay.
Every morning was the same. I would first check how many new emails came in since I silenced my phone just before bed time. On a good day, it was 5 or 10. On a bad day, it was 50+ over about 8 hours. Unfortunately, that’s the norm for most employees.
After seeing how many new emails came in, I’d do a quick scan to see what was most important. Who needs information to close a deal? Who has a support issue? Which is spam? Which can I delete, and never think about again.
There’s one name that always took precedence, and always stuck out as I scrolled through dozens to hundreds of unread emails. My boss, Bob. What Bob needed, Bob got, first.
As with most employees, it’s easy to ignore the hundreds of emails that come in every week, but you always jump to support your boss.
That’s why when I had an email from Bob one morning that said, “Hey Jon. Traveling in Europe this week, can you make a wire transfer for me. I said, of course. Just send the details.” I wanted to be responsive and efficient.
After thinking about the request, I thought it was a bit strange and texted Bob just to make sure. That was quite fortunate, because the email wasn’t actually from Bob, and obeying the wire details sent by Scammer-Bob would have really put me in the hot seat.
Business Email Compromise and BEC Scams Prey on Human Nature
Business Email Compromise Scams (BEC Scams), or CEO fraud are quite common, and often end with a transfer out to the scammer. They prey on human nature, trust, and fear to steal money from an organization.
Cyber criminals know that the leadership are the big fish, and attacking them in a Business Email Compromise scam or with CEO Fraud will result in a higher pay day than someone in sales or marketing.
That means that executives like the CEO and CFO, and finance and accounting departments don’t just have to be able identify standard attacks, they also have to identify the more specialized attacks targeting the folks at your level of the organization like business email compromise and CEO fraud.
What is Business Email Compromise (BEC)?
Business Email Compromise and CEO Fraud is when a cybercriminal mimics an email account, impersonates an executive, and then asks an employee to execute an unauthorized wire transfer, or provide some other high value, confidential item like tax information.
There’s a similar, increasing threat of wire fraud scams in real estate transactions.
There are various attack vectors used in these attacks — Phishing, spear phishing, whaling, and social engineering. Learn about these and other social engineering attacks with examples. However, the process usually looks like this:
The CEO Fraud Process
First, the cyber criminal impersonates a trusted source — an executive, vendor, or a brand. The from line might show the CEOs name and target the CFO, the name of a brand like your bank and target the finance department, or the name of a vendor and target human resources.
Next, the attacker will wait for a response, and engage with their intended victim to set up for the ask. When the attacker builds trust and establishes a plausible scenario, they’ll request an action which is often a wire transfer.
The request might say, “Urgent Wire Transfer Request!” “I’m on vacation and need you to pay this invoice today.” Or the attacker might target the Human Resource department with a message requesting all employee W-2s.
Preying on Trust and Fear
Because these emails are seemingly coming from a high ranking person like a business owner or executive, the victim places high importance on responding to them. They want to do a good job quickly, and efficiently because it’s the boss.
That means the victim will make the wire transfer or share the confidential information without questioning or verifying the sender.
Once a transfer is made it’s difficult to get back. Making matters worse, an attacker that establishes trust often continue making requests from their victim for increasing amounts which can go on for months or even years.
Criminals may target a few thousand dollars, a few hundred thousand, or even millions of dollars in these scams. There are successful cases in each category in various sized organizations.
The FBI reported that Business Email Compromise (BEC) and CEO fraud cost businesses $12 billion dollars between December 2016 and May 2018. While the financial loss is often great, the collateral damage can be far reaching. In most cases executives(s) are fired, lawsuits are filed, the company reputation is at risk, and customers lose trust.
Business Email Compromise scams leverage weaknesses in technology and people, so preventing these scams requires a look at both.
My team (Wuvavi) focuses on the human element, and developing strategies to ensure employees understand how to identify the red flags of business email compromise and CEO fraud, but also how to respond and mitigate the risks.
The Role of Employees in Preventing BEC/CEO Fraud
The human element of prevention starts with developing a security policy. Companies should develop a specific policy on wire transfers that includes a chain of command and verification of requests.
Every wire transfer should require a two-step verification, and never rely on a sole request by email. The person initiating a wire transfer can add a second step to authentication by calling the requestor, or walking down the hall.
Executives must be supportive, and encourage employees to call even if the email says they are on vacation or unreachable. In addition, these policies and procedures should be disseminated across all employees and require employees to sign-off on the policy.
Security Awareness Training and BEC Scams
Security awareness training is an important piece of prevention as well. Ensure all employees receive awareness training and deploy simulated phishing attack to teach security awareness provider.
From a security awareness standpoint, these are the best practices that everyone in the organization should follow.
- Always used a second level of verification before sending wire transfers or sensitive, confidential information.
- Rather than responding to emails with ‘Reply,’ you should respond to emails with ‘forward to ensure you’re sending the email to the person you want to send it to, rather than a spoofed email.
- Never open suspicious emails , attachments, or download suspicious files because they might contain malware.
- Be careful about what you share on social media — cyber criminals use this information to plan and time their attacks — an executive posting about upcoming travel plans is a good time for a cyber criminal to initiate an attack.
If you fall victim to an attack, a quick response is key. Start with reporting to your financial institution. Wire transfers are near instant, and recovering funds is unlikely. A quick response provides the best opportunity to recover funds.
About Us
Wuvavi provides the world’s only cyber security awareness platform developed for small and medium sized businesses. Wuvavi allows SMBs to deploy enterprise grade awareness training and simulated phishing campaigns to their employees, track progress, and receive completion certifications. Learn more and sign up for a free trial.
Originally published at wuvavi.com on October 23, 2018.
