It’s 6 AM. Your organization’s finance director gets an urgent email purportedly from the CEO, requesting he wire transfer $600,000 to an overseas account to make an overdue payment. The CEO hardly ever emails him directly, and she’s counting on him to fix a bad situation. He blearily responds and completes the transfer. Three hours later, he discovers the transfer was a scam, and the money might not be recoverable…
If this were your organization, you would be only one of thousands of organizations to fall victim to this type of scam. By April 2016, the FBI had already tracked $2.3 billion USD of reported losses to Business Email Compromise (B.E.C.) scams. How do these scams work? What do they look like? And more importantly, how can you detect and prevent them as an organization?
Scammers need to choose a target in a position of authority sufficient to move money or sensitive tax records, yet still capable of being intimidated by a higher level executive like a CEO or CFO. Unfortunately for companies, these victims are often easily found because they chose to list their employer, position, and responsibilities on social media sites like LinkedIn. Corporate websites that contain leadership bios can also be a goldmine for bad guys. An ideal target is a finance or HR manager - people who might be able to authorize a large transaction or access personnel files outside of business hours without any oversight.
Once the scammers have chosen a target, they choose a high level executive in the company who they will “spoof”, or pretend to be. They will need to send an email pretending to be this person to a victim, and attempt to strong-arm him or her into providing money or data through intimidation and a sense of urgency. Once again, it’s fairly trivial for scammers to locate data about an organization’s CEO, CFO, or Director. The more data that is freely available on the internet, the easier it is for scammers to make a fake email look authentic. If they find a signature block for the person, or their real contact information, the email can be made to look quite real.
The scammers then craft a phishing email. The messages tend to be short and to the point – they address the target by name, state that it is of utmost urgency that he or she respond immediately, and may include a brief story describing why the request must be done quietly. All of these factors pressure the target into completing the transaction without informing management or following proper procedures. In certain instances, the “executive” may specify a go-between who will contact the target on their behalf. Often, the go-between is an attorney whose name and contact information has been appropriated for the purpose of the scam.
The scammers ensure the phishing email appears to come from the selected executive. There are three common methods in which they do this: The first is changing the “from” address in the message to the executive’s real email, while leaving a hidden “reply-to” field as the scammer’s mailbox. In many email clients, message details must be manually viewed to catch this trick. The second is registering a domain name a letter or two off from the organization’s, which looks correct unless it is read very carefully. The third and least common is actually gaining access to the executive’s mailbox via hacking or malware.
An example message might read like this:
I’ve got something important I need you to work on promptly. Over the next few days we will be completing an acquisition I have been working on for the last couple of months. We are required to make a deposit payment ASAP please. It’s important you understand this acquisition needs to remain private. I will brief you more about this later. What details will be needed to process the payment?
(212) 555 0235
Sent from iphone
Notice that unlike traditional phishing emails, there are few red flags in this message. It looks pretty authentic. Unless Emily (or her IT team) tells her email client to show the “reply-to” address, she will likely never see that the message was not truly sent from her CFO. Additionally, if Emily rarely gets messages directly from an executive, she could be really intimidated.
Here are 10 suggestions from Motorola Solutions Managed Security Services for preventing and detecting B.E.C. phishing:
The FBI advises the following if you believe your organization has been the victim of a B.E.C. scam:
Lesley Carhart is Incident Response Lead, Security Operations Center at Motorola Solutions