When the FBI released its 2018 Internet Crime Report on April 22, one topic appeared as the very first of the hot topics that should give business leaders reason to pause. There, as the first of the report’s hot topics, was Business Email Compromise. This is a type of scam that’s specifically aimed at businesses or other organizations that depend on employees’ unquestioning obedience to their supervisors.
The way the Business Email Compromise scam works is that the criminals create an email that appears to be real, which then directs someone in the financial departments of the target organization to send a large payment, usually via a wire transfer, to an account owned by the criminals. But as you might expect, there’s a lot more to it than that.
First, the scammers pick out a victim. Normally it’s a company (or sometimes a non-profit) that has a large enough staff that there’s a hierarchy of responsibilities. Beyond that, the size of the business doesn’t necessarily matter, as is demonstrated by the FBI statistics that show businesses of all sizes being targeted.
Once the target organization is selected, the scammers go to work studying the operations and the staff of the company. They will use public information to determine who the senior executives are, what their contact information is and who reports to them. It’s not unusual for the scammers to either penetrate the company email system or to use a partner organization to provide details about the target.
Scammers Look for When Execs Travel
By looking at the internal emails, the scammers will learn about the company procedures, preferred partners and any details they think will help with the next step. Then they will look for information, either public or in emails, to learn the movements of the organization’s senior executives. Then, normally when the CEO is on travel, they strike.
“There’s usually an urgent email from the CEO or CFO asking for an immediate transfer of funds,” explains Colin Bastable, CEO of Lucy Security. Normally, the request appears in an email that looks authentic to the receiver, who will be someone in a position to carry out the transfer. The email will give a supposed purpose for the transfer, such as an unexpected acquisition. And it will provide details for a wire transfer. The email will stress the immediacy and the need to keep the action secret.
Because the scammers have been studying the company and its staff for a while, the email will usually contain references that seem to establish legitimacy, such as references to some personal fact or activity. And the tone will resemble language usually used by the senior executive. Only later will you find out that it was a scam and that your money is in the hands (or at least the bank account) of the scammers.
Normally a spear-phishing attack precedes the actual attempt to steal the money, and in some cases, the attackers also implant malware into the company network that can monitor activity. That malware also likely got there during a phishing attack. That attack may also have been able to retrieve credentials necessary to get into the network remotely.
Once the actual attack starts, there are a few things you can do to prevent the attackers from being successful, and those mostly boil down to procedures you plan in advance and security systems you should have in place.
Procedures to Put in Place
The security systems should include capabilities such as intrusion detection and encryption of sensitive data, which includes the business phone directory. You should also be able to monitor the activities of anyone who attempts to gain access to protected information of protected areas of your network.
But you also need to have procedures in place to keep the funds transfer attempt from being successful. Here are the steps you need to consider:
- Have the CEO and CFO buy-in for any procedures you set up, and have them agree not to punish employees who refuse to break the rules.
- Set up a procedure for approving unexpected payments. The procedure should include a requirement for confirmation of the transaction through some means other than email. For example, a confirmation call should take place to the CEO’s cell phone, and it must be to a number that you already have, not to one provided in the email asking for the transfer.
- Establish a code word that must be said before any transfer can take place. This prevents an imposter from calling in with a spoofed caller ID from posing as the CEO.
- Be skeptical of any unplanned transfer of large sums of money, especially if it must be done immediately. There’s almost nothing in terms of legitimate business activity that can’t wait for a day or two. Inability to contact the CEO or CFO should not be taken as a reason to approve a payment. The criminals will probably know when your executives are airborne on a long flight where they can’t be reached.
Bastable says that training is critical in avoiding such attacks. This means that you must conduct simulated attacks as part of your normal activities. Bastable said that his company can provide such training. You can also find simulated phishing emails intended to carry out a simulated Business Email Compromise at KnowBe4. That company will also let you preview its training modules. Regardless of how you do it, security awareness training is crucial to keep your organization from falling victim to these attacks.
Fortunately, there’s some light in the darkness. The FBI has put together a Recovery Asset Team that’s been successful in getting back about 75% of the money that’s been stolen in such schemes. But that depends on letting them know as soon as you know you’ve been compromised. Make that part of your procedures, too.