Your session has expired.

Your authenticated session has expired due to inactivity. You can close this message and continue as a guest or log in again before proceeding.

Your reply has been posted successfully!

Entries » Blog » Understanding, Preventing, and Detecting Business Email Compromise Scams

Understanding, Preventing, and Detecting Business Email Compromise Scams

Created Jun 02 2016, 5:00 AM by Lesley Carhart

It’s 6 AM. Your organization’s finance director gets an urgent email purportedly from the CEO, requesting he wire transfer $600,000 to an overseas account to make an overdue payment. The CEO hardly ever emails him directly, and she’s counting on him to fix a bad situation. He blearily responds and completes the transfer. Three hours later, he discovers the transfer was a scam, and the money might not be recoverable…

If this were your organization, you would be only one of thousands of organizations to fall victim to this type of scam. By April 2016, the FBI had already tracked $2.3 billion USD of reported losses to Business Email Compromise (B.E.C.) scams. How do these scams work? What do they look like? And more importantly, how can you detect and prevent them as an organization?

Scammers need to choose a target in a position of authority sufficient to move money or sensitive tax records, yet still capable of being intimidated by a higher level executive like a CEO or CFO. Unfortunately for companies, these victims are often easily found because they chose to list their employer, position, and responsibilities on social media sites like LinkedIn. Corporate websites that contain leadership bios can also be a goldmine for bad guys. An ideal target is a finance or HR manager - people who might be able to authorize a large transaction or access personnel files outside of business hours without any oversight.

Once the scammers have chosen a target, they choose a high level executive in the company who they will “spoof”, or pretend to be. They will need to send an email pretending to be this person to a victim, and attempt to strong-arm him or her into providing money or data through intimidation and a sense of urgency. Once again, it’s fairly trivial for scammers to locate data about an organization’s CEO, CFO, or Director. The more data that is freely available on the internet, the easier it is for scammers to make a fake email look authentic. If they find a signature block for the person, or their real contact information, the email can be made to look quite real.

The scammers then craft a phishing email. The messages tend to be short and to the point – they address the target by name, state that it is of utmost urgency that he or she respond immediately, and may include a brief story describing why the request must be done quietly. All of these factors pressure the target into completing the transaction without informing management or following proper procedures. In certain instances, the “executive” may specify a go-between who will contact the target on their behalf. Often, the go-between is an attorney whose name and contact information has been appropriated for the purpose of the scam.

The scammers ensure the phishing email appears to come from the selected executive. There are three common methods in which they do this: The first is changing the “from” address in the message to the executive’s real email, while leaving a hidden “reply-to” field as the scammer’s mailbox. In many email clients, message details must be manually viewed to catch this trick. The second is registering a domain name a letter or two off from the organization’s, which looks correct unless it is read very carefully. The third and least common is actually gaining access to the executive’s mailbox via hacking or malware.

An example message might read like this:

From: Tony Jackson – CFO (tony.jackson@example.com)
To: Emily Lee- Accounting (emily.lee@example.com)
Reply-To: (tonyjacksoncfo@webmail.example)
Subject: Request

Emily,
I’ve got something important I need you to work on promptly. Over the next few days we will be completing an acquisition I have been working on for the last couple of months. We are required to make a deposit payment ASAP please. It’s important you understand this acquisition needs to remain private. I will brief you more about this later. What details will be needed to process the payment?

Regards,
Tony Jackson
CFO
(212) 555 0235
Sent from iphone

Notice that unlike traditional phishing emails, there are few red flags in this message. It looks pretty authentic. Unless Emily (or her IT team) tells her email client to show the “reply-to” address, she will likely never see that the message was not truly sent from her CFO. Additionally, if Emily rarely gets messages directly from an executive, she could be really intimidated.

Here are 10 suggestions from Motorola Solutions Managed Security Services for preventing and detecting B.E.C. phishing:

  1. Train and encourage your employees to report suspicious messages to somebody who can review them and respond in a timely manner.
  2. Establish a social media policy for employees, and monitor what organizational data is publicly posted on the internet.
  3. Ensure that employees in sensitive positions are aware of B.E.C. campaigns.
  4. Have your IT department label all emails which come from outside your organization as “EXTERNAL”. Most mail servers support this, and the label can be added to the subject line or message body.
  5. Have your IT department deploy email digital signatures if possible.
  6. Ensure there is always a set, non-email procedure completed every time a large money or sensitive data transfer is completed.
  7. Have your IT department enable two-factor authentication to protect web mail accounts.
  8. If possible, have your IT department quarantine all emails which spoof your domain name.
  9. Use humans and technical controls to monitor for unusual emails (does your U.S.-based executive ever close a message “Regards”? Does he or she send emails to Finance at 2AM?) B.E.C. emails are more sophisticated than an average phish, so small anomalies can be important to notice.
  10. Use a brand monitoring service to alert your IT team if look-alike or “typo squatting” domains close to your organization’s are registered.


The FBI advises the following if you believe your organization has been the victim of a B.E.C. scam:

  • Contact your financial institution immediately
  • Request that they contact the financial institution where the fraudulent transfer was sent
  • File a complaint—regardless of dollar loss—with the IC3.

Lesley Carhart is Incident Response Lead, Security Operations Center at Motorola Solutions