Cybercriminals have stolen $3.1 billion from businesses since January 2015 — not with high-tech ransomware or stealthy spyware, but rather with low-tech emails. The U.S. Federal Bureau of Investigation (FBI) refers to these attacks as Business Email Compromise (BEC) scams. Since January 2015, more than 22,000 businesses worldwide (including businesses in all 50 U.S. states) have reported falling victim to a BEC scam. There are likely many more businesses that were swindled but did not report it.
Although using emails is a low-tech approach to stealing money, these emails are well crafted. Each BEC email is polished and specific to the business being victimized. The cybercriminals spend a good deal of time creating each email in the hope that its legitimacy will not be questioned.
How Cybercriminals Create the BEC Emails
The cybercriminals behind the BEC scams are digital con-artists. Like regular con-artists, they first study their victims. They identify the individuals and information necessary to carry out the scams. As part of this research, the digital con-artists sometimes send out phishing emails that request details about the businesses or individuals being targeted. Alternatively, the phishing emails might install malware that obtains sensitive business information, such as financial account records. The cybercriminals also use social engineering techniques to get information. For instance, they might visit social media websites (e.g., LinkedIn, Facebook) or call the company.
After the digital con-artists have the information they need to scam a business, they create the BEC email. They try to get both the wording and graphical elements to look like a legitimate email from that business (or from an organization it does business with, such as a supplier). They know that the closer the match, the harder it will be to spot the scam.
The Five Variations of the BEC Scam
When the FBI analyzed the reports of the 22,000+ BEC victims, it discovered that there were five main variations of the BEC scam:
- Posing as a business executive, the digital con-artist requests a wire transfer. A cybercriminal hacks or spoofs the email account of a business executive and then uses that account to send an email requesting a wire transfer. Typically, the email is sent to the employee responsible for processing these requests. On occasion, the email is sent directly to the financial institution. The FBI found that the digital con-artists often send these emails when the executives are on business trips.
- Pretending to be a business executive, the cybercriminal requests employees’ personal information. Using a spoofed or hacked email account of a business executive, the digital con-artist sends an email to the staff member responsible for maintaining employees’ personal information (e.g., human resources or accounting staff). In the United States, this variation of the scam was used to get employees’ W-2 tax information.
- Posing as a supplier, the cybercriminal requests an invoice payment. The digital con-artist usually selects a supplier that the targeted business has used for a long time. After learning who is responsible for processing supplier payment requests at the targeted business, the cybercriminal will send that person a legitimate-looking payment request. The email tells the employee to wire the invoice payment to an alternate, fraudulent account. Occasionally, the invoice payment request is made by fax or phone instead of email.
- Pretending to be an employee, the digital con-artist requests invoice payments from vendors. After identifying who works with vendors at the targeted business, the cybercriminal hacks that employee’s personal email account, using it to request invoice payments from vendors. This scam is most successful when employees use their personal email accounts for business and they have the vendors listed in their contact list.
- Posing as a lawyer or law firm representative, the cybercriminal requests a fund transfer. The digital con-artist emails or calls an executive or another employee in the targeted business, claiming to be handling confidential or time-sensitive legal matters. The cybercriminal tries to pressure the person into transferring funds quickly or secretively.
How to Avoid Falling Victim to a BEC Scam
Knowing about the five BEC scam variations is one of the best ways to avoid falling victim to them. Thus, you need to educate employees at all levels about the scam scenarios so they can spot BEC emails. In addition, employees should be taught how to spot phishing emails since cybercriminals will use them to gather information prior to creating the BEC emails.
Besides training employees, you should take the following measures to avoid being swindled by a BEC scam:
- Do not use free web-based email accounts (e.g., Hotmail, Gmail) for your business. The FBI found that digital con-artists often target businesses using these email accounts.
- Consider using two-step verification for business email accounts. If you set up two-step verification (also known as two-factor authentication) for these accounts, they will be much more difficult to hack.
- Never wire money based on an email without first verifying via telephone or in person conversation. There have been several instances where someone has taken an email directive from what appears to be the CEO/owner of the company and wired money per the instructions in an email.
- Be careful about what you post on your business’s website. For example, do not post job descriptions or hierarchal information, as this information might prove helpful in determining the best person to target in a BEC scam.
- Ask employees not to post too many details about their jobs on social media websites. Digital con-artists scour these sites for information about businesses and their employees.
- Use anti-malware software and regularly update the operating systems and applications on your business’s computers. Some cybercriminals use phishing emails that install malware to get information for BEC scams. This malware often relies on known vulnerabilities of the operating system or applications to get onto a computer system.