A primer on business email compromise scams

As good guys scramble to get ahead of hackers, attacks cost companies plenty

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

It is a dev­as­tat­ing­ly effec­tive form of spear phish­ing that the FBI refers to as “busi­ness email com­pro­mise,” or a BEC attack.

Also known as “whal­ing” and “CEO fraud,” BEC attacks car­ry no viral attach­ments, nor mali­cious web links. Instead, they rely entire­ly on social engi­neer­ing, usu­al­ly spoof­ing some­one in author­i­ty in order to per­suade a sub­or­di­nate to take imme­di­ate action, such as trans­fer­ring funds or for­ward­ing sen­si­tive data.

Com­pli­men­ta­ry webi­nar: How iden­ti­ty theft pro­tec­tion has become a must-have employ­ee benefit

More than 7,000 U.S. com­pa­nies have been hit by BEC attacks since 2013, los­ing more than $740 mil­lion—and those are only the com­pa­nies that report­ed crimes to the FBI. Since Jan­u­ary, at least 55 com­pa­nies have announced that they had fall­en vic­tim to one par­tic­u­lar vari­a­tion that lures employ­ees into for­ward­ing employ­ee W2 forms, use­ful for cre­at­ing fake tax returns, accord­ing to mes­sag­ing secu­ri­ty ven­dor Cloudmark.

This week, email secu­ri­ty firm Mime­cast released results of a March poll of 436 IT experts at orga­ni­za­tions in the Unit­ed States, U.K., South Africa and Aus­tralia. Some 67 per­cent of respon­dents report­ed an increase in attacks designed to insti­gate fraud­u­lent pay­ments and 43 per­cent saw an increase in attacks specif­i­cal­ly ask­ing for con­fi­den­tial data like HR records or tax information.

Relat­ed sto­ry and info­graph­ic: Cyber crim­i­nals go spear phish­ing, har­poon executives

Third­Cer­tain­ty recent­ly sat down with Orlan­do Scott-Cow­ley, Mimecast’s cyber­se­cu­ri­ty strate­gist, to dis­cuss why email remains a viable attack vec­tor and where things stand in the arms race to main­tain trust in email. Text edit­ed for clar­i­ty and length.

3C: It’s amaz­ing that email, after more than a decade, remains a major attack vector.

Orlando Scott-Cowley, Mimecast cybersecurity strategist
Orlan­do Scott-Cow­ley, Mime­cast cyber­se­cu­ri­ty strategist

Scott-Cow­ley: It is, but also it isn’t. If you think about it, email is a very sim­ple process. It doesn’t require any skill or any abil­i­ty to hack someone’s net­work or their fire­wall or their wire­less. Send­ing an email, even a whal­ing email where there’s no mal­ware, takes almost no abil­i­ty at all.

3C: Why is whal­ing (BEC attacks) ris­ing so sharply?

Scott-Cow­ley: Cyber crim­i­nals have learned that not using mal­ware is a great way of get­ting into orga­ni­za­tions because there’s no path to look for. So there’s noth­ing detect. They use social engi­neer­ing to basi­cal­ly defraud peo­ple out of mil­lions of dollars.

3C: The heavy lift­ing is in the preparation?

Scott-Cow­ley: The attack­ers will spend months, or even longer, research­ing the tar­get, using sorters like LinkedIn, Face­book, Twit­ter, or Google Plus. They build up a real­ly good pic­ture of that orga­ni­za­tion. What they want to know is who’s the CEO, who’s the CFO, who are the senior finance man­agers in the orga­ni­za­tion, who’s HR, who’s IT and they can almost build an orga­ni­za­tion­al chart.

And then when they’re ready to strike, they will send an email that looks as though it has come from the CEO, gen­er­al­ly, or the CFO. They’ll some­times use a spoof domain that looks very sim­i­lar to your cor­po­rate domain name.

They’ll often use a fake dis­play name as well, and they’ll tar­get some­one who’s senior enough in the orga­ni­za­tion, usu­al­ly in the finance team, who has sin­gle sig­noff author­i­ty on wire trans­fers. They’ll try to trick them into mak­ing a wire transfer.

3C: What we’re see­ing is not a fly-by-night thing; it’s a major trend?

Scott-Cow­ley: Yeah. It’s a big threat to enter­pris­es now. A lot of peo­ple who have been affect­ed by this have not had to admit it, because it doesn’t meet the require­ments for breach report­ing noti­fi­ca­tion. And many times you could say there has not been a breach because no data leaked. The com­pa­ny just paid and qui­et­ly went on about their busi­ness, which is terrifying.

3C: How did spear phish­ing progress to this point?

Scott-Cow­ley: Pro­gres­sion is a great way of describ­ing it. Two or three years ago, the threat was from mali­cious links in emails. As ven­dors, we found a way to solve that prob­lem. At Mime­cast, we rewrite the URL, so when the user clicks the link we scan the page, and we’ll block access to a mali­cious website.

The attack­ers learned that. They then moved on to weaponized attach­ments and hid­ing mali­cious macros in attach­ments, most­ly Word doc­u­ments and Excel files. They used the macros to basi­cal­ly pull the mal­ware onto the desktop.

So, as ven­dors, we intro­duced sand­box­ing tech­nol­o­gy that basi­cal­ly runs the macro in the gate­way before it gets to the inbox and looks at it and says, ‘Well, this is a Word doc­u­ment, it has a macro, but why is that macro talk­ing to a web­site in Rus­sia or Chi­na or somewhere?’

The attack­ers worked out that we were get­ting ahead of them block­ing all of those dif­fer­ent types of attacks, and so they start­ed to turn toward whal­ing and social engi­neer­ing, using the pow­er of their words in the email to be able to con peo­ple out of mil­lions of dollars.

More sto­ries about spear phishing:
Study finds C-Suite over­con­fi­dent about net­work security
BEC hack­ing fuels faked tax return scams
Sophis­ti­cat­ed spear phish­ing attacks becom­ing more common