Business Email Compromise Scams

business email compromise scams

It has recently been reported that several technology companies have become victims of one of several types of common email scams known as Business Email Compromise (“BEC”) scams or “phishing” scams.

The example of Snapchat Inc. is typical.  The hackers sent emails to individuals in their payroll department that purported to be from their CEO, Evan Speigel.  Following the hackers’ instructions, the company e-mailed an unspecified number of W-2s to the fake “Evan Speigel.”  The hackers wanted the W-2s so that they could file false tax returns.

 

Even more dangerous are BEC scams where a finance-department employee is fooled into executing a wire transfer into a hacker’s bank account, often overseas.  Consider this list of losses, all since 2014:

– Ubiquity Networks, $46.7M

– XOOM Corporation, $30.8M

– Scoular Company, $17.2M

– Medidata, $4.8M

– Wright Hotels, $1M

How are the criminals getting away with such enormous fraud?  One word:  Acting.

Cyber criminals are often like stage actors.  They don’t care what role they are given, as long as they get a part in the production.  The role that they choose just depends on the situation – and in the world of cyber crime, this means what information they have been able to steal.

Perhaps the most well-known of all financial fraud roles – the “Hamlet” of email fraud – is that of the infamous Nigerian prince.  This unfortunate aristocrat is desperate for assistance transferring money to an out-of-country bank account, and somehow the only solution is to send unsolicited e-mails to individuals he’s never met. The poor victim is usually tricked into sending money under the false promise of a share of the royal fortune.

The role of a Nigerian prince is easy for any foreign actor/hacker to take on, because there is no need to hide their poor English grammar.  And they don’t really need to know anything about their victims.  Anyone with a bank account outside of Nigeria is a potential target.

But BEC fraud is much worse than unsolicited emails.  These are cases where cyber criminal have hacked into an e-mail system to gather detailed information, which helps them decide what role they will be playing. The roles may be less glamorous than a Nigerian prince, but they require believable communication and a strong understanding of human nature.  They certainly require proper English grammar.

The three main roles the hackers play are:  (1) a “C-Suite” or top level employee (CEO or CFO); (2) a lower-level employee, ideally in the finance or accounting department; and, (3) a new vendor.  Which role they choose depends upon the information they are able to obtain, which sometimes just means which e-mail account(s) they’ve successfully breached.

Role One – The C-Suite

Information Needed:  Hack of CEO’s E-mail, CEO’s Travel Plans, E-mail Addresses of Finance Staff

If a hacker gets into a CEO’s e-mail account, the scam usually depends upon striking at just the right moment.  The hackers will bide their time until the CEO is out of the office and difficult to reach.  That is when they will send an e-mail “from the CEO” instructing a lower-level finance person to wire funds to the hacker’s overseas account as part of a “confidential” new transaction.  The e-mail will demand strict secrecy, the hope being that the finance person doesn’t ask questions or talk about it to any colleagues.  By the time the CEO returns to the office, the money is gone and the finance person hasn’t mentioned it to anyone.

Role Two – Regular Employee(s)

Information Needed:  Hack of Regular Employee’s E-mail, Repeat Customer’s E-mail Addresses  

If a hacker gets into one or more of the regular employees’ e-mail accounts, the victim of the scam is the company’s repeat customers.  In this scenario, the hackers use the account to identify repeat customers who have outstanding invoices, and then to request a change of the pay-to bank account.  More and more it becomes critical for staff that pays invoices to confirm any requested changes to pay-to information.

Role Three – New Vendor

Information Needed:  E-mail address of Accounts Payable Staff

In some cases, hackers aren’t able to break into the e-mail system, but they use other methods to determine an employee’s role in an organization.  They will target Accounts Payable staff with bogus invoices requesting immediate payment.  A standard account-confirmation system would catch this type of fraud, but some companies, especially start-ups with lean administration, can be victims of this scam.

Each scam is different, depending upon the information available to the fraudster.  They will hack into e-mail systems and use social engineering to collect whatever information they might be able to get.  Once they have something useful, they are off to the races with fraudulent e-mails.  And the losses are not small, sometimes in the millions of dollars.