Handling a Business E-Mail Compromise Handling a Business E-Mail Compromise

Handling a Business E-Mail Compromise

On June 14, 2016, the Federal Bureau of Investigation (FBI) released a Public Service Announcement (PSA), highlighting the increase in Business E-mail Compromise (BEC). BEC is “a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments.”[1] BEC, in essence, is a scheme to compromise official business email accounts to conduct unauthorized fund transfers.[2]

BEC scams often begin with an attacker compromising a business executive’s email account or any publicly listed email. Using social engineering and other tools, the attacker then tries to determine who in the company initiates wires and who is authorized to request them. For example, a search of business networking sites can reveal an individual’s title or job description. Attackers usually aim to identify a company’s payables, or accounting department personnel who have access to disburse company funds. From there, the attacker uses various methods to dupe unsuspecting personnel into performing fraudulent wire transfers.

The victims of the BEC scam range from small businesses to large corporations. The victims continue to deal in a wide variety of goods and services, indicating a specific sector does not seem to be targeted. Statistics from the Internet Crime Complaint Center (IC3) reveal that between October 2013 and May 2016, there were 15,668 domestic and international victims.[3] The total dollar loss was estimated at $1,053,849,635.

The IC3 has determined that there are five main scenarios by which a BEC scam is perpetrated[4]:

  1. Businesses working with foreign suppliers usually find themselves marking wire funds for invoice payment to an alternate, fraudulent account. “The request may be made via telephone, facsimile, or e-mail. If an e-mail is received, the subject will spoof the e-mail request so it appears very similar to a legitimate account and would take very close scrutiny to determine it was fraudulent. Likewise, if a facsimile or telephone call is received, it will closely mimic a legitimate request. This particular scenario has also been referred to as ‘The Bogus Invoice Scheme,’ ‘The Supplier Swindle,’ and ‘Invoice Modification Scheme.’”[5]
  2. Some businesses may find that a business (executive) receives or initiates a request for a wire transfer. Here, e-mail accounts of high-level business executives (CFO, CTO, etc.) are compromised. A request for a wire transfer from the compromised account is made to a second employee within the company who is normally responsible for processing these requests. This particular scenario has also been referred to as “CEO Fraud,” “Business Executive Scam,” “Masquerading,” and “Financial Industry Wire Frauds.”
  3. The third situation is where business contacts receive fraudulent correspondence through compromised e-mail. Requests for invoice payments to fraudster-controlled bank accounts are sent from this compromised e-mail account to multiple vendors identified from this accounts contact list. The business may not become aware of the fraudulent requests until that business is contacted by a vendor to follow up on the status of an invoice payment.
  4. The fourth scenario is where business executives and attorneys are impersonated. Victims report being contacted by fraudsters, who typically identify themselves as lawyers or representatives of law firms and claim to be handling confidential or time-sensitive matters. Victims may be pressured by the fraudster to act quickly or secretly in handling the transfer of funds.
  5. The last scenario, and the newest, is where BEC victims report scams involving the receipt of fraudulent e-mails requesting either all Wage or Tax Statement (W-2) forms or a company list of Personally Identifiable Information (PII).” This scenario does not always involve the request for a wire transfer; however, the business executive’s e-mail is compromised, either spoofed or hacked, and the victims are targeted in a similar manner as described in the previous scenarios.

In the PSA, the FBI provides guidance on how businesses can increase awareness and understanding of BEC scams. Businesses that are more adept at identifying BEC scams are more likely to avoid falling victims.
The PSA lists the following self-protection strategies[6]:
  • Avoid free web-based e-mail accounts: Establish a company domain name and use it to establish company e-mail accounts in lieu of free, web-based accounts.
  • Be careful what is posted to social media and company websites, especially job duties/descriptions, hierarchal information, and out of office details.
  • Be suspicious of requests for secrecy or pressure to take action quickly.
  • Consider additional IT and financial security procedures, including the implementation of a 2-step verification process. For example:
    • Out of Band Communication: Establish other communication channels, such as telephone calls, to verify significant transactions. Arrange this second-factor authentication early in the relationship and outside the e-mail environment to avoid interception by a hacker.
    • Digital Signatures: Both entities on each side of a transaction should utilize digital signatures. This will not work with web-based e-mail accounts. Additionally, some countries ban or limit the use of encryption.
    • Delete Spam: Immediately report and delete unsolicited e-mail (spam) from unknown parties. DO NOT open spam e-mail, click on links in the e-mail, or open attachments. These often contain malware that will give subjects access to your computer system.
    • Forward vs. Reply: Do not use the “Reply” option to respond to any business e-mails. Instead, use the “Forward” option and either type in the correct e-mail address or select it from the e-mail address book to ensure the intended recipient’s correct e-mail address is used.
    • Consider implementing Two Factor Authentication (TFA) for corporate e-mail accounts. TFA mitigates the threat of a subject gaining access to an employee’s e-mail account through a compromised password by requiring two pieces of information to login: something you know (a password) and something you have (such as a dynamic PIN or code).
    • Significant Changes: Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via their personal e-mail address when all previous official correspondence has been through company e-mail, the request could be fraudulent. Always verify via other channels that you are still communicating with your legitimate business partner.
    • Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail. For example, legitimate e-mail of abc_company.com would flag fraudulent e-mail of abc-company.com.
    • Register all company domains that are slightly different than the actual company domain.
    • Verify changes in vendor payment location by adding additional two-factor authentication such as having a secondary sign-off by company personnel.
    • Confirm requests for transfers of funds. When using phone verification as part of the two-factor authentication, use previously known numbers, not the numbers provided in the e-mail request.
    • Know the habits of your customers, including the details of, reasons behind, and amount of payments.
    • Carefully scrutinize all e-mail requests for transfers of funds to determine if the requests are out of the ordinary.
If you believe that your organization has already been victimized by a BEC scam, it is important to respond quickly. You should alert your incident response or risk management team and your primary legal counsel immediately. If you do not have an incident response team already in place, your legal counsel can help coordinate the necessary response actions. Additional information is available in the Ice Miller Data Breach Response Quick Reference. A swift response can reduce the total damage to your organization and your employees. 

Ice Miller’s Data Security and Privacy practice helps clients assess risks. We work with clients to help them implement a strong data security and privacy program. Nick Merker, a former systems, network, and security engineer, is also a co-chair of Ice Miller’s Data Security and Privacy practice and speaks frequently on data privacy and security matters in the United States and abroad. Nick can be reached at nicholas.merker@icemiller.com or (312) 726-2504. Sid Bose, a former IT engineer, counsels clients on various data security and privacy issues dealing with online privacy, vendor contracts and agreements, IT audit and compliance, data breaches, disaster recovery, and business continuity planning. Sid can be reached at sid.bose@icemiller.com. Eric McKeown concentrates his practice in domestic and international data security and privacy, intellectual property litigation and government investigations. Eric can be reached at eric.mckeown@icemiller.com.

[1] Business E-Mail Compromise: The 3.1 Billion Dollar Scam, FBI Public Service Announcement, available at https://www.ic3.gov/media/2016/160614.aspx
[2] Security 101: Business Email Compromise (BEC) Schemes, available at http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/business-email-compromise-bec-schemes
[3] Business E-Mail Compromise: The 3.1 Billion Dollar Scam, FBI Public Service Announcement, available at https://www.ic3.gov/media/2016/160614.aspx
[4] Id.
[5] Id.
[6] Id.

View Full Site View Mobile Optimized