Researchers have spotted a new business email compromise (BEC) trend that, if perfected, could represent a significant social engineering threat to the financial investment and private equity community.
The scammers are impersonating c-level executives and instructing accounts payable employees to complete a capital call transaction to a fraudulent bank account. In the world of private equity and real estate, a capital call or draw down takes place when an investment or insurance firm asks one or more partners to pay a portion of the money that they have previously committed to investing.
In an email fraud report published yesterday, researchers at Agari's Cyber Intelligence Division (ACID) noted a "dramatic increase in the average amount of money targeted in BEC attacks" since November 2020. The report partially attributes this sudden spike to the newly identified scheme. Indeed, Agari found that the average capital call payment scam seeks roughly $809,000 in wire transfers -- more than seven times the average $72,000 sought in most BEC attacks over the last six months.
In essence, the attackers are looking to score big payday with a single compromise. And the concept works because "the request itself is not out of the ordinary," said Crane Hassold, senior director of threat research at Agari, in an interview with SC Media. "And so, at its core, it looks realistic," despite the large sums of money being requested.
Erich Kron, security awareness advocate at KnowBe4, agreed: "While the amounts being demanded are likely to be a red flag for most typical people, if these reach the right organization that is expecting a capital call, or deals in them regularly, these may be successful," he said.
However, for now the scam isn't executed especially well, Hassold noted. For starters, the targeting has been scattershot, with malicious actors delivering these BEC emails to a wide range of large corporations -- some completely unassociated with finance and investment. For instance, Agari identified targets in the utilities retail, health care and legal sectors.
"I think that probably the people who are sending these don't have a full grasp of capital call payments," said Hassold. "I don't think that these are finance students who have a full understanding of what capital call payments are, and how they're used and who should be receiving them."
There is also no indication that the attackers have been targeting individual investors – just business organizations. And, noted Hassold, there's no indication that the bad guys have any inside knowledge what investments these companies are actually making, if any. "Rather, the attacks are requesting payments for fictitious investments, similar to what we’ve seen for years where BEC actors request payments to fictitious vendors," he said.
Still, if a more competent perpetrator were to employ the same tactics while taking a more targeted approach – perhaps leveraging intel on investors gleaned from public lists and the dark web – the scam could be convincing enough to fool a lot of victims.
For now, though, the attackers seem to be a little less ambitious, seeking out the low-hanging fruit, knowing that even tricking one employee could pay off handsomely.
“This is an interesting use of a very specific, but high-dollar, type of financial transaction," said Erich Kron, security awareness advocate at KnowBe4. "While likely not as successful as a typical BEC scam, the payout for successful attacks is considerably higher."
"We have to remember this is a business for the attacker, and they have the same problems that anyone would have in running the business," said Josh Douglas, Mimecast’s vice president of product management and threat intelligence. "That means they have to consider both the topline and bottom-line. This procedure allows for larger revenue gains and lower impacts to operating expenses. If the attacker only has to hit three places vs. 300 to get the same amount of revenue, the reward is higher and the gross margins increase."
And although the attackers' targeting and intel gathering may not be particularly sophisticated, the actual emails and the attached documents they have created do have an air of legitimacy.
"This is a capital call and I want payment out immediately. Send confirmation as soon as the payment is out," reads one sample BEC email impersonating a CEO. Attached is a form that appears to be from an investment asking for the draw down. The fake notice adds an element of pressure, setting a distinct deadline and noting that failure to act represents a breach in agreement, resulting in interest charges and ultimately forfeiture of the investment.
The attacker is fundamentally looking to deceive the target using technological and psychological tactics and techniques," said Douglas.
"They look like really good representations of what one of these documents could look like," said Hassold. "They're likely thinking on their end, 'I just need to make this look realistic enough that it will pass as true and get a small percentage of the people who I'm sending this to, to send me the money.'"
Hassold said that the actors are banking on companies suffering organizational lapses in payment authorization controls.
Indeed, "organizations should have policies in place that require verification of payments being sent," said Kron. "If the organization is unable to verify the request for funds, they should reach out to the requester through a previously known phone number or contact method, not one provided in the notice.”
Ultimately that may come down to ensuring that your accounts payable specialists are properly trained to watch out for these scams.
"The key factor is the people at the organization," said Douglas. "Do they have the right cybersecurity training? Do they have the processes to block this from working? Have they implemented the right technology that can bring it to the forefront, so they can act quickly to stop cyber deception?"
"Particularly in a remote work environment, training is key," added Dave Barnett, director of edge security at Forcepoint. "Users must be confident of reporting processes for anything they’re unsure of and be encouraged to flag and check things with senior staff."
"Business email compromises can be incredibly lucrative to threat actors because they’re often highly personalized and targeted. Instilling a culture of critical thinking when it comes to security, and encouraging staff to not let their guard down, can go a long way."