Don’t be a Whale – How To Detect the Business Email Compromise (BEC) Scam | Tripwire

Don’t be a Whale – How To Detect the Business Email Compromise (BEC) Scam

Posted on October 8, 2017
Don’t be a Whale – How To Detect the Business Email Compromise (BEC) Scam
According to the figures from the FBI, through December 2016 cyber thieves stole over $2 billion from 24,000 businesses using a scam that starts when business executives’ or employees’ email accounts are compromised or spoofed (BEC scam). Criminals are able to steal money with the help of an unwitting accomplice: an employee who is fooled into submitting a wire request. From the perspective of the company’s financial institution, the transaction appears completely legitimate. Even confirmation calls or other out of band authentication will reach the employee who did indeed submit the request.

Description Of the Scheme – Fraudsters Do Their Homework

There are at least three versions of this scheme. They all start with in-depth reconnaissance as a criminal learns key details about their intended victim, how they’re structured, and who to target in order to make the attack as convincing as possible. They will try to compromise an employee’s email account to see what they can learn and will check publicly available information. They are looking for:
  • General information about the company, where it does business, and with whom
  • Names and titles of company officers
  • Management organizational structure: who reports to who
  • Information on new rounds of funding
  • Information on new products and services, or patents
  • Product or geographic expansion plans
  • Travel plans
Once they know who to impersonate, who to target, and what message will be the most believable, they establish a means of emailing the fraudulent request.  If they’re able to compromise an executive’s email account, they control email flow to avoid detection. They might set up inbox rules, such as creating a rule to redirect or delete certain email within the attack, preventing the legitimate owner of the account from seeing these emails. Or they may edit the “Reply to” addresses so if someone replies to an email related to the scam, the reply goes to an email address set up by the fraudster. If they haven’t been able to compromise an exec’s email account, they create a look-alike domain (a “spoofed” email domain), such as:
  • …@companyABDC.com instead of …@companyABCD.com
  • …@company_name.com instead of …@company-name.com (underscore instead of a hyphen).
  • They replace an “m” with an “r” and an “n”.
Now that the fraudster knows what to say to whom, and how, here are some examples of specific attacks.

Example 1: Email from a company executive

  1. A criminal compromises or spoofs the email account of an executive, such as the CFO.
  2. The criminal sends a request for a wire transfer from the compromised account to an employee who is responsible for processing these requests and is subordinate to the executive, such as the Controller.
  3. The Controller submits a wire payment request, as per instructions from her “boss.”
Another version starts with mocking up a fake email from the CEO, for example, to the CFO. The criminal uses the CFO’s compromised or spoofed email account to forward the fake CEO email to the Controller asking that she issue the wire “at the CEO’s request,” adding urgency and legitimacy to the request.

Example 2: Invoice From supplier or business partner via spoofed email address

  1. A fraudster compromises the email of a business user employed by their target company, for example, someone in Accounts Payable.
  2. The criminal monitors email of the business user looking for vendor invoices.
  3. The criminal finds a legitimate invoice and modifies the beneficiary information, such as changing the routing number and account number to which payment is to be sent.
  4. The criminal spoofs the vendor’s email to submit the modified invoice. It doesn’t require compromising the vendor’s email system, but it instead sends the invoice from an email address that is so close to the domain of the vendor that most people would miss the change (see earlier examples).
  5. The email explains that they (the vendor) has updated its payment processes, which explains the new account details.
  6. Accounts payable, recognizing the vendor name and services provided, processes the invoice and submits a wire request for payment.

Example 3: Email From an attorney regarding a business acquisition

  1. The finance department receives an email from a criminal pretending to be the CEO regarding a secret company acquisition. The email emphasizes the sensitive nature of the deal, making the employee feel special by being included by the CEO in this confidential operation.
  2. The email explains that an attorney working on the acquisition will follow up with the wire instructions.
  3. The criminal, posing as the attorney, follows up by email or phone with the wire payment details as the original email from the CEO stated he would.
  4. The finance department submits the wire request for payment.
These schemes hinge on an email request that appears completely legitimate, either coming from an actual email account or one that is so similar that all but the closest scrutiny would miss the variation.
The FBI Alert warned, "The requests for wire transfers are well‐worded, specific to the business being victimized, and do not raise suspicions to the legitimacy of the request.” Gone are the days of the obvious warning signs of criminal activity, such as bad grammar and spelling, or unrealistic scenarios.

How To Detect Suspicious Wire Requests Resulting From the BEC Scam

Here are some techniques for detecting fraudulent payments submitted as a result of the BEC scam:
  1. Confirm the request with the executive by creating a new email and entering their known email address; don’t reply to the suspicious email as it will likely go to the criminal. If this feels a bit awkward, ask yourself, “would you rather ask your CEO or CFO to confirm a wire request or have to tell them you’ve just processed a fraudulent wire transfer?”
  2. The emails typically have a similar tone, urging secrecy and expedience. So set up your email gateway to flag key words such as “payment”, “urgent”, “sensitive”, or “secret”.
  3. Although the late-stage emails used in BEC may not contain malware, malicious code is often used as part of an overall BEC scheme to initially compromise an employee’s email account, so make sure you have an effective malware detection solution in place.
  4. Register all domains that are slightly different from the actual company domain.
  5. Carefully scrutinize all email requests for transfer of funds to determine if the requests are out of the ordinary. Know the habits of your customers, including the details of, reasons behind, and amount of payments.
To learn more about how Tripwire and Lastline greatly reduce the time needed to accurately detect and protect against advanced and evasive threats from the network edge to endpoint systems, click here.  
John-Cloonan.jpg
About the Author: John Cloonan is Director of Products for Lastline with a passion for creating innovative information security solutions. Of his nearly 25 years of professional experience, he has spent more than 15 years in Information Security software development and service delivery. Prior to Lastline, John was the Program Director for Threat Intelligence at IBM, and previously worked at Tripwire, SecureWorks, and GuardedNet.  Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.  
Join over 20,000 IT security pros who get our top stories delivered to their inbox every week!