Business Email Compromise (BEC) attacks are sophisticated scams that compromise legitimate business e-mail accounts to conduct unauthorized fund transfers. These attacks are also called ‘whaling’ because they are similar to phishing, but on a larger scale. BEC attacks have grown in popularity in recent years, and are expected to pose a significant risk to businesses in 2016.
The FBI reported a 270% increase in BEC victims since January 2015, and nearly $750 million of actual and attempted U.S. losses since August 2015. Research conducted by Mimecast, an email security provider, found that 55% of organizations have seen an increase in BEC attacks over the last three months.
Using complaint data, the FBI identified four general versions of BEC attacks.
- The Supplier Swindle. A business is asked by a current supplier to wire an invoice payment to a fraudulent account. Hackers use spoofed e-mails that appear very similar to a legitimate account.
- CEO Fraud. Spoofed or hacked e-mail accounts of high-level business executives are used to request a wire transfer from an employee within the company who is normally responsible for processing these requests.
- Fraudulent Invoices. An employee’s personal e-mail account is hacked and used to request invoice payments from multiple vendors identified in the employee’s contact list.
- Attorney Scam. An employee is asked to quickly transfer funds by someone posing as an attorney who is handling a confidential or time-sensitive matter for the business.
BEC attacks are not random. Victims are specifically targeted by hackers using information that is made readily available on company websites and social media sites like Facebook, LinkedIn and Twitter. For example, LinkedIn can be used to map entire departments and reporting structures. Websites may also provide valuable information, such as email addresses, titles, responsibilities and even biographical information.
According to Mimecast, a BEC attack can be broken down into five phases.
- Research: Criminals identify a target organization and its employees. Open source intelligence, social media and corporate websites are then used to build an accurate picture of the organization and identify key executives and finance team members.
- Similar Domain Names: Criminals may then register a domain name that sounds or appears similar to that of the target company. For example, the domain ajaxcornpany.com could be used to spoof ajaxcompany.com. Were you able to spot the difference between the two?
- Whale Emails: Criminals make initial contact by posing as a high-level executive and sending an innocuous email to a member of the finance team. These emails are typically innocuous, brief and to the point, such as “I need you to complete a task ASAP, are you in the office?”
- Victim Tricked: Due to the research done before the attack, victims are likely to believe the email is genuine and respond accordingly. Criminals may then engage in email ‘small talk’ prior to requesting a wire transfer.
- Wire Transfer: Victims, typically those with authority to initiate or approve financial transactions, are asked to transfer funds. Having no reason to doubt the authenticity of the request, the funds are transferred.
BEC attacks can be very difficult to identify. Since criminals don’t rely on emails with attachments or links, current barriers are often inadequate. Nevertheless, steps can be taken to protect against BEC attacks. For example, in addition to increased awareness, the FBI identified various preventative measures, such as:
- Create detection system to flag e-mails with extensions that are similar to company e-mail.
- Register all domains that are similar to the company’s actual domain.
- Verify changes in vendor payment with two-factor authentication, like requiring secondary approval.
- Confirm requests to transfer funds. If verifying over the phone, use previously known numbers, not the numbers provided in the e-mail request.
- Know your customers.
- Carefully scrutinize all e-mail requests to transfer funds.
Businesses should also consider cyber insurance coverage to protect against cyber attacks that could not be prevented. Unlike traditional commercial insurance, Cyber Liability and Security Breach (Cyber Perils) Insurance policies protect against privacy injuries, such as identity theft, and cover the cost of complying with data breach notice laws.
We would be happy to provide you with more information about insurance for existing and emerging cyber threats.
Additional information is also available in our weekly Risk Management Newsletters.
Perhaps these predictions explain the growing number of businesses purchasing new cyber insurance policies or increasing coverage under existing cyber policies.