Whale of an Attack — A Guide to Business Email Compromise

Whale of an Attack — A Guide to Business Email Compromise

1 Star2 Stars3 Stars4 Stars5 Stars (5 votes, average: 3.40 out of 5)

BEC is one risk you absolutely cannot ignore!

“How to avoid spam filters.” A Google search on that phrase returns more than six million results. With 55% of email being spam, some of them will avoid your spam filter. Among those that get through will most likely business email compromise (BEC) attacks.

Business email compromise attacks are a type of phishing that targets business email. Also known as BEC fraud, a BEC attack usually involves the attacker taking over an email account within an organization. When that account is of a CEO or high-level executive, it’s known as whaling or CEO fraud.

Let’s take a look at an example of how such an attack unfolds. Michael works in the sourcing department of a global enterprise. He’s about to have a bad day:

Michael’s day started like any other. He just brought coffee number three back to his desk just in time to receive the email from his boss. It was a typical message asking him to handle a priority payment.

Despite the ordinary nature of the request, Michael paused. Something he couldn’t pin down was not quite right. He stopped and thought that further inspection was called for. The amount was a bit higher than he usually handles, but not outrageous. He looked carefully at the attached invoice; the same old form with company logo he always received. The wire transfer request was to the bank his company always used. Nothing seemed out of the ordinary. Michael wired the funds.

Later that day, Michael was informed that he had been a victim of a business email compromise attack. The email was, indeed, from his boss’ account. The account had been compromised by hackers. They did their homework, ensuring that the invoice looked legitimate and they used the same bank as Michael’s company. It’s easy to see why Michael put aside his initial suspicion.

This story is a business email compromise example based on an actual attack that took place last year. Three men in Spain launched the attack against at least 12 companies in at least five countries. They defrauded companies out of $11 million. To date, just over $1 million has been recovered. You can read more about the attack campaign on ZDNet.

Types of Business Email Compromise

There are quite a few different types of business email compromise — exactly how many depends on who you ask and how you classify attacks. In this article, we’ll categorize BEC attacks the same way the FBI does — and we’ll include five different BEC scenarios. Keep in mind, many real-world BEC attacks use elements from more than one of these types.

1. Business Working with a Supplier

Bogus! That term leaves no doubt that something is amiss and why this is most often referred to as the “bogus invoice scheme.” It is the scheme covered above that was used against Michael and his real-world counterparts. The invoice looked good because the hackers did their research well to make it resemble a legitimate invoice. Attackers can take their time gathering information to make the request seem as legitimate as possible. The intended target is usually under time constraints to respond. This gives the attackers a clear advantage.

In one case, the attacker impersonated an entire company, reeling in more than $120 million with his phish. His targets were Facebook and Google. Evaldas Rimasauskas registered and incorporated a company in Latvia with the same name as an Asia-based manufacturing vendor that Facebook and Google used. Then he sent phishing emails to employees that usually did business with the vendor. The emails directed the employees to use a new bank account for wire transfers.

The funds were transferred to Rimasauskas’ banks. Fortunately for Facebook and Google, it was traceable, and the money was subsequently recovered. Unfortunately for Rimasauskas, he was just sentenced to five years in prison, forfeiture of $50 million, restitution of $26.5 million, and two years of supervised release.

2. Executive Request for Wire Transfer

“CEO fraud” is commonly used to describe this type of business email compromise. The attacker takes over the email account of a high-level executive. They then, masquerading as an executive, asks an employee to wire money. The attacker usually gives the message a sense of urgency.

That is exactly what happened to Upsher-Smith Laboratories. The drug company unwittingly transferred tens of millions to hackers — repeatedly! Nine wire transfers, totaling more than $50 million, were made over a period of three weeks. The attackers impersonated the company’s CEO in phishing emails to accounts payable, who followed instructions to make the nine fraudulent wire transfers.

In some cases, rather than taking over an email account, the attacker registers a domain that is very close to the company’s name (for example, ibm.com). Then they send the email from that domain, hoping the slightly different domain name goes unnoticed.

Don’t take the term CEO fraud too literally. This BEC attack can target any high-level executive, director, or manager. BEC fraud may be a better term that you’ll also hear.

3. Fraudulent Correspondence Through a Compromised Personal Email

The goal of this type of BEC is to sneak past corporate security systems. The attacker takes over an executive’s personal email rather than their corporate email. They conjure up a pretext for why personal email is being used. They may also coax an employee to use their personal email. They may fabricate a reason, citing confidentiality, to do things such as buying gift cards as surprise rewards.

The 2016 DNC hack used this type of BEC fraud. The attackers first tried to hack into DNC email accounts. That failed, so they targeted personal emails accounts. A phishing email was sent to John Podesta’s personal email. He clicked the link in the email and the rest is history.

4. Executive and Attorney Impersonation

Confidentiality and urgency are used to motivate employees to help with a transfer of funds. After all, if the lawyers had to get involved, it must be important!

One unfortunate CEO fell for this business email compromise to the tune of a million dollars. He purchased property in Belize and made payments via wire transfer. The seller’s real estate attorney is Barrow and Williams. Email addresses at the firm use the domain barrowandwillliams.com.

A hacker had gained unauthorized access to the victim CEO’s email account. He saw learned of the purchase by reading the CEO’s emails. He knew the CEO was awaiting instructions to make the wire transfer.

So, he registered the domain name barrowsandwilliams.com. Did you catch the subtle difference? It’s easy to miss. Then, before the real attorney for the seller sent the wire transfer instructions, the hacker sent his own using that domain name. The CEO complied, wiring over $1 million to the hacker. You can read all of the details in the full criminal complaint.

5. Data Theft

This type of attack is often used as reconnaissance for other BEC attacks that follow. The data being sought is often W-2 forms or other personally identifiable information about employees. During tax season, you can expect to see more attempts to get W-2 forms, since it’s a more believable pretext at that time.

The CEO of Pivotal software was successfully impersonated in an email. It asked an employee to forward sensitive W-2 information on all employees that actually went directly to the hacker. A not-too-reassuring letter about the attack was sent to Pivotal employees.

While there was no money exchange in this business email compromise, W-2 information is valuable in a few ways. A bad guy can:

  1. Sell the data on the dark web
  2. Use the data for identity theft
  3. Use the data to launch other BEC attacks

9 Ways to Defend Against BEC Attacks

1. Trust But Verify

Better yet, don’t trust and verify, verify, verify! If you have any inkling that something is suspicious, contact the source directly. Never make a payment to a new account without verifying that it is legitimate. Do not check an email via email. Pick up the phone and call the source — and never use a phone number given in an email to verify!

2. Train All Employees on Security Awareness

Security awareness training is available from a number of vendors. Training, however, is only one component of a security awareness program. Some other components are:

  • Promotion — to advertise your security awareness program using a variety of media such as posters, emails, and webinars.
  • Security Ambassadors / Champions — typically a volunteer who is not part of the IT or security organization, who helps to promote security awareness and create a positive security culture within their department.
  • Gamification — to add an element of fun and to motivate participants
  • Executive Sponsorship — a critical component of your security awareness program. Executives must lead by example in not only supporting the program but by being an active participant in the culture of security awareness.
  • Advisory Board — Security awareness programs reach across the entire enterprise and are most effective with the involvement of marketing, human resources, and other departments beyond the obvious IT and security teams.

The goal of a security awareness program is to create a culture of security awareness; to make security a seamless part of the workday and even at home.

3. Verify the Site’s Secure and Is Legitimate

If directed to a website, check the lock icon in your browser and ensure that the site uses SSL and has a valid SSL certificate that’s owned by the right company.

Graphic: A screenshot of SectigoStore.com and its verified company info on the SSL certificate.

4. Use Multi-Factor Authentication for Corporate Email

Multi-factor authentication, or 2FA, is one of the most effective ways to protect email accounts. It requires more than just a password to log in. It requires something you know (a password) in addition to something you have (e.g., a token) or something are (e.g., a fingerprint).

Reprinted courtesy of the National Institute of Standards and Technology, U.S. Department of Commerce. Not copyrightable in the United States.

5. Set Email Options to Flag External Emails

There are a variety of ways to do this if your email system has the capability.

  • Set external emails in a color that’s different than internal emails
  • Blacklist domains you know to be malicious or risky
  • Whitelist domains you know to be safe
  • Trigger user prompts to accept or decline emails from risky sites

6. Use Digital Signatures in Email

Digital signatures allow the recipient to be confident that the email actually came from the sender and that the contents of the email have not been altered. This requires certificates. They can be obtained at low cost from providers like SectigoStore.com.

7. Detect and/or Block Emails from Domains That May be Masquerading as Your Domain

For example, Oracle should block orcarle.com. We’re not in the habit of carefully reading the “From:” line in our emails.

8. Detect and/or Block Emails That Have a “Reply To:” Address That Differs from the “From:” Address

Even more so than the “From:” line, most of us just don’t read the “Reply to” line.

9. If You’re Being Pressured to Act, Stop and Think!

Before you take any action, if something seems off or you’re being pressured by urgent messages, take a few moments to stop and think. Ask yourself if it sounds legitimate — and if not, go back to step one.

What If I Fall Victim to a BEC Attack?

According to the FBI’s, here are the three steps you should take if the attack resulted in the transfer of funds:

  1. Immediately contact the financial institution involved
  2. Contact your local Federal Bureau of Investigation (FBI) office if the wire is recent. The FBI might be able to help return or freeze the funds.
  3. File a complaint, regardless of dollar loss, via the FBI’s Internet Crime Complaint Center’s (IC3) complaint referral form.

Review the actions recommended in the previous section and implement any missing protections. Note that none of those actions include blame. Blaming employees for BEC attacks will only discourage them from reporting the incidents and from seeking advice. Review your security awareness program. This should be an ongoing process, not just once or twice a year, and use positive reinforcement.

Taking the right actions cannot guarantee that you will not fall prey to a business email compromise, but it can greatly reduce your chances. The FBI IC3 reported 166,349 BEC incidents with losses over the three-year period of June 2016 to July 2019 to be more than $26 billion. Given that, defending against BEC should be high on your priority list.

About the author

Eliot retired from his career as a cybersecurity consultant and executive to spend his time educating individuals and businesses on how to stay safe online. He's the founder of the Cybersecurity Awareness Project and a contributor to several online cybersecurity publications.

No comments

Leave a Reply

Your email address will not be published. Required fields are marked *