FBI Director Christopher Wray speaks at headquarters in Washington, D.C. The FBI has reported that BEC scams cost enterprises more than $26 billion worldwide between 2016 and 2019. (Source: FBI)

Business email compromise (BEC) scams are one of the biggest money makers for cyber criminals. BEC attacks are also unique in that they rely on human behavior rather than sophisticated technology. Typical BEC scams use an authentic-looking email from a top executive to deceive subordinates into transferring money.  

A lot of money.

The FBI reports that BEC scams cost enterprises more than $26 billion worldwide between 2016 and 2019. These scams accounted for half of all cybercrime losses in 2019.  In June, reports disclosed that a U.K. affiliate of Caterpillar lost $11 million to BEC fraud. Last summer, the European subsidiary of Toyota Boshoku Corporation, a car components manufacturer member of the Toyota Group, lost more than $37 million dollars to a BEC attack. Calling it a global phenomenon, INTERPOL launched a public service campaign to warn and educate the public about BEC fraud.

How does BEC fraud differ from other attacks? Rather than launch a mass attack against hundreds or thousands of unknown targets, BEC scams focus on a single target. The attackers patiently research companies to pinpoint the right executive. They analyze the company’s website and other public information to identify senior personnel, determine the chain of command, track important customers, even study the email style of the executive they target, sometimes researching for as long as a month or more.

When ready to start their attack, fraudsters use social engineering scams to break into the network. They steal the executive’s credentials, then email a subordinate asking for immediate transfer of funds. It’s always for a credible reason -- a last-minute acquisition or a late payment to a partner or supplier. Because of the urgency, the fraudster asks the employee to wire the funds to a different account than usual and keep their actions confidential. Thanks to the hacker’s due diligence, the email looks authentic and the employee wires money—right to the bank account of the scammer.

In a variant called CEO Fraud, the attacker spoofs the executive’s email without needing to actually compromise the account to request a wire transfer. BEC scams also increasingly impersonate clients, employees and vendors to divert payments or payroll funds. The Russian gang Cosmic Lynx conducted more than 200 BEC campaigns over the past year, mostly under the pretense of a law firm working with Fortune 1000 companies on mergers and acquisitions.

How can security teams protect against BEC fraud? These scams cleverly play on two glaring human vulnerabilities: an employee’s susceptibility to social engineering, and their unquestioning trust in the chain of command. 

Studies show that as many as 30 percent of employees are susceptible to social engineering, especially phishing campaigns. Unfortunately, it takes only one unsuspecting employee to help set the stage for a lucrative BEC attack. Phishing scams keep increasing in sophistication - they impersonate well-known brands such as Netflix, Google, and Amazon, as well as leverage hosted servers and public cloud tools.

Companies that conduct ongoing and varied security training of their employees – starting at onboarding and continuing with regularly scheduled simulated phishing attacks, stand the greatest chance of keeping invaders out of their network. The most effective security awareness programs use a wide range of simulated campaigns, from vanilla email hyperlinks to elaborate attacks disguised as messages from real brands or customers. Interactive, relevant, and ongoing training can reduce the percentage of successful phishing attempts from 30 percent to less than 5 percent.

Help your employees to detect phishing emails with these three questions: 

Is the sender really who they claim to be? Start by checking the domain name – it’s easy to miss a one-letter mismatch between the sender’s domain and the company domain. Common tricks include swapping the “i” for an “l,” adding an “s” to the end of a known domain, or adding “int” or “inc.” Emails that arrive in a business inbox from gmail-type addresses, especially if you know the name of the sender, are a big giveaway.

Does the email contain suspicious content? Red flags include improper use of grammar or language, multiple spelling mistakes, or a different layout. Hover over any email links to see if they are unusual. If so, don’t click on them!

What are they asking me to do? Always be suspicious anytime an email asks you to do something atypical or unexpected, such as provide confidential log-in credentials or PII. Take a closer look at the sender’s address or content and you’ll usually catch the attack.

Unfortunately, many phishing schemes are sucessful, and the executive’s email credentials end up in the hands of the attacker. Ultimately, BEC scams succeed because they exploit subordinates who follow the chain of command. To defend against BEC fraud, companies should implement specific business and financial policies for all payments. Communicate these policies in writing to all company employees and insist on strict adherence. Here are a few best practices. Consider this a checklist to follow:

Payment authorizations. Specify which specific employees can make payments or transfer funds. Keep the number of authorized employees to a minimum.

Payment amounts.  Require multiple sign-offs above a certain amount and specify who’s required to provide the additional authorization. Policies range from any amount above the reasonable and customary for that vendor/situation to a pre-determined threshold that automatically triggers the additional sign-off. Make the confirmation by phone to a pre-specified phone number instead of email. 

Third-party validation. Recent BEC fraud attacks have impersonated third-party vendors, including suppliers and lawyers. Obtain the contact name and phone number in advance for all vendors the company does business with to verify any suspicious requests for payments.

Resist urgent requests or new payment methods. Train every employee authorized to make payments for the company on how to prevent BEC fraud. Help them understand how and why they are potential targets. Remind them they need to follow the company’s official payment policies without exception. Suspect any urgent and/or secretive request to make payments to a new bank account or payment address. Take precautions even if the amount seems low, as scammers often test the waters and take a measured approach to their attack.

Most importantly, empower employees to “break the chain of command” instead of breaking the rules. BEC scammers are counting on the authority of the CEO or other top executive to convince subordinates to do what they ask. Don’t let them get away with it.

Criminals turn to BEC fraud because the profits are large and the barriers to entry are low. Protect the company by empowering its most valuable assets – the employees. Train employees how to identify phishing campaigns, and give them simple tools like a phishing incident button to report suspicious messages. Develop clear guidelines for all financial transactions and payments. Address both of these areas, and the company will keep its hard-earned dollars in the company’s bank account, not those of the cyber attacker.

Colin Bastable, CEO, Lucy Security