Business E-mail Compromise Attacks (BEC)

Business e-mail Compromise is a scam campaign hosted by the attackers to target the corporate companies by collecting the employees’ e-mail IDs from the available sources. BEC attack’s main goal is to achieve the informational, sensitive details of the company like partners and vendors details, account transaction details, etc. 

BEC attacks resemble the e-mail of the real owner to defraud the customers, partners, or employees to fall prey to redirect to attackers’ websites. It is also called a “man in the e-mail” attack, which is similar to a “man in the middle” attack where the hackers are tampering with the data which makes the actual parties think like its Original, but actually, attackers are stealing their information.  

FBI  confirms that BEC “$26 Billion Scam” which affects multiple businesses every year.   

How does the BEC compromise take place?

BEC compromise starts with basic reconnaissance like collecting the targeted employees’ names, Organization working for details from the posted social media websites. Further attacker plans to send a bulk or single e-mail to the victim from the spoofed domain names.  

For example, Attacker might use the e-mail: “[email protected]” instead of “[email protected]” this small difference has to be paid attention to while replying to the same with sensitive data, if you haven’t spotted the above and fooled your entire organization is compromised.  

Techniques used for BEC (Business E-mail Compromise)

1. Phishing attacks – This technique is used along with Spear-phishing attacks which send fake e-mails to the target which looks like a trusted vendor or e-mails ID and makes them reveal the secret information. For example, Attackers sending the attached e-mails with malicious PDS files, DOC files, JPEG, etc., to download and install the malware and gain access.   
2. E-mail Spoofing with fake domains – Sending e-mails with a slight difference to known address ([email protected]) to ([email protected]) to fool the target with fake domains and lure the victims. 
3. Using Malware – Using the malicious software to help in infiltrating the targeted network and gain access to the company Invoices details. Again the same information will be used to send to the financial departments to get account details. Here, the attackers are gaining undetected access to the financial information of the enterprise. 

Types of Business e-mail Compromise attacks

1. Data Theft – This is used to attack the HR department of the organizations to get the employee and executive details on the Hierarchy, project, personal information which can be used for future attacks. 
2. Fake Invoices – Exporting and importing companies with multiple suppliers around is often lured with the tactics of sending fake invoices where attackers request the fund transfer to the attacker’s accounts.
3. Account Compromise – Once an employee’s e-mail is hacked, attackers use them to send to their vendors requesting them to make the payments to the attacker’s fraudulent accounts.  
4. Attorney Impersonation – This is mainly to target the low-level employees who don’t have any knowledge or authority to question the validity of the e-mail communications sent, which attackers impersonate as a lawyer or other representative from law firms that deal with sensitive matters.  
5. CEO Frauds – Attackers defraud themselves as the CEO of the company and sends e-mails to the individuals of the financial departments requesting them to transfer the funds to the attacker’s account. 

Protection against Business e-mail Compromise 

Few ways to protect against BEC attacks which include some of the common techniques, 

1. Payment verification whenever there is a payment to be made from enterprise, ensure to have multi-factor authentication (MFA) is enabled.
2. Always check for legitimate URLs which claim to be company Domains, Do not click on any URL directly which is requesting the individuals to transfer the funds to the higher management executive accounts.
3. Ensure to check the email address are same which is received and shows different e-mails when you click the “reply” button on the mail agents like outlook, Gmail, etc., 
4. You should be careful when downloading the attachments from the unknown source mail IDs, as they might contain malicious PDF, Word documents, JPEG which is embedded with malware in it. 
5. Implement an intrusion detection system, which flags the suspicious e-mails with similar extensions as your companies like the legitimate email ID of xyz.company.com would flag the fraudulent email as xyx.company.com. 

Top Business E-mail Compromise scams examples, 

1. Google and Facebook $121 BEC scam attack – one of the biggest known scams of all time is the BEC attack against tech giants like Google and Facebook resulted in the loss of a total of $121 million. This scam took place between 2013 and 2015, Evaldas Rimasauskas the man behind this attack used fake invoices with layer letters to ensure the transfer was accepted. And finally, Rimasauskas was sentenced to five years of prison in 2019.

2. Ubiquiti’s $46.7 million vendor Fraud – Here the scammers impersonated Vendors from the Third-party company and targeted Ubiquiti’s financial department requesting the vendor settlement payment. This attack was known as Vendor Email Compromise (VEC), an example of a BEC attack.

3. Nikkei $29 million – Nikkei is one of the biggest Japanese media giants, the owner of Financial Times of London and namesake stock index in Tokyo stock exchange fell prey to financial frauds. An Employee in US Subsidiary, Nikkei America, transferred $29 million which was based on the email that appeared to be from the executive of the Parent company ie: Nikkei, Japan, and this attack was reported in September 2019. 

4. Toyota Boshoku $37 Million – One of the biggest victims of the recent time of BEC scams around August 2019. Toyota Subsidiary which supplies seats and other interior components has resulted in the loss of $37 million. According to the news reports the attackers were posing as business partners which sent e-mails to the people of the finance and account department, requesting them for the payment to fraud accounts of the attackers.  

5. Shark Tanks Barbara Corcoran – Barbara Corcoran who made her millions as a real estate broker and one of the judges on the hit TV show “Shark Tanks” who decides whether to invest as an entrepreneur was robbed of nearly $400,000 by BEC scam by Feb 2020. After the analysis, it was found to be a Chinese IP address which impersonated as Corcoran’s assistant mail id which requested the payment due to real estate business renovation. Finally, the amount was refunded to her from a German bank which was routed from the Chinese attacker account by giving some time to prove this was fraudulent transactions.

Conclusions and recommendations: 

As we see from the above examples that the attacker target all types of Business from large scale to small scale. It is difficult to detect, prevent with legacy security tools. 

Attackers don’t use malicious malware or URLs which can be analysed with a Cyber defence system, but hackers focus on human error rather technical exploits. 

So, recommendation it’s more important to ensure the enterprise security is essential, and employees on phishing attacks, spear-phishing awareness training on such attacks are required as this doesn’t need technical expertise rather than analysis skill set to identify the legitimate and fraudulent email address, URLs, etc.,