The lucrative cybercrime of business email compromise proves that even when using the simplest of social engineering tactics in context and with the right person, the take can be literally in the millions of dollars.
Money fraud is an all too common crime tactic where cybercriminals spear phish someone in an organization's finance or accounts payable department purporting to be a vendor, asking that payment arrangements be modified to benefit the cybercriminal. The FBI just released its latest Internet Crime Report summarizing what it saw throughout all of last year. According to the report, business email compromise (BEC) was responsible for over $1.77 billion in losses in 2019. That's just over half of the $3.5 billion in losses they document in the report.
In some cases, the attacks require little more than identifying the right individual and sending an email. In other cases, look-alike domains are created to establish credibility. In still other cases, cybercriminals go to even greater lengths, such as impersonating the CEO and holding phone meetings about monies needed for an investment or using deepfake audio to trick employees by sounding just like the CEO over the phone.
But fraudsters who employ BEC use a few common tactics to establish the illusion of legitimacy:
- Lots of diligence. These bad guys aren't randomly sending emails. They are doing their homework, scouring the company's website and sites like LinkedIn looking for the right person to target.
- Contextual requests. As part of doing due diligence, the bad guys identify contractors they can impersonate.
- Domain impersonation. Look-alike domains (e.g., adding an extra letter to a domain) can make it look like it's really the company that users think it is.
- Social engineering. Long gone are the days of the Nigerian prince. Today's scammer is making sure the emails are well written, establish credibility using detail and create a sense of urgency to get the potential victim to act.
What should organizations do to thwart these kinds of attacks? The answer lies in a mix of people, process and technology. Let's cover them in reverse order.
Technology. There are plenty of security products available today that scan an email to look at its attachments and links, its sender and recipient details, domains used, domain reputation and even specific words used in the email. It's important to have tools like these in place to provide a layer of security that helps to eliminate as much of the potentially threatening emails from coming in as is possible.
Process. Anytime a request is made that involves money -- from requesting that banking or payment details be changed, to inquiries about information around vendor relationships -- there needs to be a verification process. This needs to be mandatory, especially for users whose role has to do with money (e.g., accounts payable or finance department personnel). Use of a second medium -- typically the phone -- to verify the request is a good practice. That is, the person who receives the email initiates a call to the requestor using existing contact details (to avoid calling the criminal). This simple process change is quite effective. Using it would have been just the thing to save the government of Puerto Rico from losing $2.6 million.
People. While technology and process are certainly key to boosting an organization's security stance, without educated employees, those efforts are for naught. The reason these crimes work is people inherently trust communications that -- and here's the rub -- look authentic. If the email appears to be coming from the right person at the right company asking about the right payment, there are no red flags, right? Wrong. Users need to be educated through security awareness training that scams like these exist, how they transpire, what to look for when receiving a potential phishing email and what to do about it.
Stopping money fraud in its tracks
Eliminate is a strong, rarely used word in the world of cybersecurity, but it's feasible to eliminate BEC forms of money fraud. Remember, in every case, the cybercriminal needs to make a request for a banking change, a wire to be transferred or account details to be provided. All that is needed to stop these attacks is to make sure the request isn't honored.
People, process, and technology -- when used in concert -- can stop these attacks from being successful. The tech portion of this equation is the easiest. Getting people to be both more security-minded and to respond to processes as they are revised or updated will be the greatest challenge.
Business email compromises take organizations for millions each year. Keep yours from being added to the victim list by getting users to be vigilant and to pick up the phone to verify monetary transactions.