The Art of Deception: Business Email Compromise Scams

Business Email Compromise (BEC)
,
Fraud Management & Cybercrime
,
Geo Focus: Asia

Exceture CISO and CyberEdBoard Member Mario Demarillas on the Rise of BEC Scams


April 29, 2024    

The Art of Deception: Business Email Compromise Scams
Image: Getty Images

The Philippines just celebrated the 30th anniversary of the internet. Thirty years ago, the first use of the internet was for electronic mail or email communication. I was a high school student then and used the internet to browse relevant research topics, as a search engine, to chat with friends and to email correspondences to anyone in any part of the world. Then, I ventured into online gaming, but email communication accounted for at least 80% of how I used the internet then.

See Also: Strategies for Protecting Your Organization from Within

Fast-forward to 2023. There are now 85.16 million internet user in the Philippines, equivalent to 73.1% of the total population. It is safe to assume that these internet users may have at least one personal email account for internet/mobile banking, email correspondence, social media use and/or e-commerce transactions, and the majority of those employed may have one business email account.

The use of email has led criminals to digital crimes, including business email compromise, through social engineering tactics or unauthorized access to systems. BEC attacks manipulate employees to transfer money or provide confidential information to cybercriminals using the compromised or spoofed/fake business email address of a senior officer, usually the president or CEO.

According to the U.S. Federal Bureau of Investigation, BEC scams reported from October 2013 to December 2022 have reached $50 billion. The reported BEC scams in December 2022 show a 17% increase since December 2021. The common scheme is to transfer the stolen money to a cryptocurrency exchange or a financial institution with a custodial cryptocurrency account. The reported BEC scams covers the 50 U.S. states and 177 countries. Over 140 countries receive fraudulent transfer, the FBI said.

“If not managed as a cybersecurity risk, BEC will be an attack vector for cybercriminals.”

Interpol’s 2021 ASEAN Cyberthreat Assessment Report identifies BEC as the top cyberthreat in the region and says it causes huge financial losses for businesses at minimal cost and risk to threat actors. Coincidentally, this region has increased digital transactions even for small and medium enterprises, especially during the COVID-19 pandemic. This will be the trend for the next five to 10 years, and if not managed as a cybersecurity risk, BEC will be an attack vector for cybercriminals.

Several BEC scam cases in the Philippines that I learned about or was asked to help with were not made public or reported to law enforcement. Regulated entities, such as financial institutions, are mandated to report these scams to their assigned regulator but the others either charge the damages to financial losses, make the erring employees pay, or ask for help from law enforcement in tracking the criminals.

Steps in a BEC Scam

Let’s dissect how a BEC scam is done. It always involves email communication.

Step 1: Reconnaissance

The threat actor researches the target company and seeks the finance person.

Step 2: Social Engineering

The attacker then either spoofs an email account – a social engineering tactic- or takes over the account – access compromised – and sends a phishing email to a finance manager or officer in which attacker impersonates the CEO. The email contains the CEO’s name, contact details and picture along with the company logo, and it is written in the usual textual tone of the CEO.

Step 3: Request for Money Transfer

The email contains instructions to pay a known vendor to a bank account via telegraphic transfer. Although the account differs from their financial records, the receiver will assume that since the email is from the CEO, the contents must be legitimate and will not bother to verify the details.

Step 4: Money Transfer: Financial Loss

The money is transferred to an account controlled by the threat actor.

This is the typical process. The context may change from CEO to lawyer or supplier and from money transfer to sensitive data such as personal identifiable information – for identity theft, financial data, or intellectual property.

How to Counter BEC Scams

A BEC scam is more of a human vulnerability than a technological or organizational one. We humans are trained from childhood to adulthood to trust in the physical world implicitly. But we do not make an adequate transition in trust from the physical to the digital environment, so scams such as BEC thrive in the digital world.

For organizations and individuals to gain the upper hand against BEC scams, they must have these countermeasures in place:

  1. For business-related correspondences, use the company’s email system and not the personal one so that the necessary technical email controls are there.
  2. Email administrators should implement technical controls such as:
    • Sender Policy Framework or SPF, which prevents spammers from sending emails using your domain;
    • Domain Keys Identified Mail or DKIM, which adds a digital signature to every mail to ensure that it was not tampered with while in transit;
    • Domain-Based Message Authentication, Reporting, and Conformance or DMARC, which further checks the email if it passed SPF and DKIM checks. If it did not, the email is quarantined or rejected.
  3. Implement multifactor authentication on email accounts.
  4. Conduct awareness training for all employees and specialized training for key personnel that handle sensitive information and financial resources.
  5. Do not open emails from unknown sender that may contain malware that compromises the user’s account.
  6. Implement endpoint security to protect against malware.
  7. Establish organizational/process controls that execute verification of payment requests, fund transfer, or request of sensitive data, and/or transfer funds to bank accounts based on the vendor’s official records and not based on email.

This post was originally published on this site