The scam social engineered the accounting team at aircraft component maker FACC AG, which makes parts for Boeing and Airbus, to transfer about $54 million to a foreign bank. The company's management board “immediately involved the Austrian Criminal Investigation Department and engaged a forensic investigation,” according to a blog post from the company. “The cyberattack activities were executed from outside the company.
At Belgian Crelan Bank, scammers were able to pilfer about $75.8 million. "As a result of these facts, we took additional, exceptional measures to strengthen our internal security procedures,” the bank said in a statement, noting that it had “informed the justice department and we are investigating this incident. Existing customers are not impacted."
The IC3 alert warned that scam hits businesses regardless of size and “is linked to other forms of fraud, including…romance, lottery, employment and home/vacation rental scams.”
Most of the victims of those scams are in the U.S. While it is not yet known how scammers select their victims, “the subjects monitor and study” them before initiating the scam. “The subjects are able to accurately identify the individuals and protocol necessary to perform wire transfers within a specific business environment. Victims may also first receive “phishing” e-mails requesting additional details of the business or individual being targeted (name, travel dates, etc),” the alert said. “Some victims reported being a victim of various Scareware or Ransomware cyber intrusions, immediately preceding a BEC scam request.”
Calling BEC “a highly sophisticated Internet scam that penetrates one or more email accounts of employees in accounting departments, lurks for months and figures out policy and procedures, and then waits until the CEO is out on business travel before the scam kicks into gear,” Stu Sjouwerman, CEO at KnowBe4, said in comments emailed to SCMagazine.com. “The scams are proportional to regular wire transfers so that the transaction does not raise eyebrows.”
The alert recommended that organizations avoid free web-based email, take care with what information, such as employee job duties and out-of-office details, is posted on social media and view with suspicion any request that includes secrecy or presses for quick action.
“C-level employees, especially CEOs and CFOs, have to be aware of the various techniques the scammers are using to trick them into wiring out large amounts of money,” said Sjouwerman. “Effective security awareness training is a must these days.”