Business Email Compromise - Protect yourself and your company

Business Email Compromise (BEC) scams, also known as “whaling’ or “CEO fraud”, involve crafted emails sent to recipients by fraudsters pretending to be senior executives. These emails leverage social engineering and urgent requests to get employees to carry out large wire transfers or send over sensitive information such as W2 forms.

BEC is defined as a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.

Most victims report using wire transfers as a common method of transferring funds for business purposes; however, some victims report using checks as a common method of payment. The fraudsters will use the method most commonly associated with their victim’s normal business practices.

BEC emails are typically characterized by:

Impersonation of a high-level executive of your companyEmail domains similar to yours (Typosquatting)Prominent use of freeweb mail service providers (Gmail, Yahoo etc.)Emails that do not contain URLs, phone numbers, or attachments

CHARACTERISTICS OF BEC COMPLAINTS

• Businesses and associated personnel using open source e-mail accounts are predominantly targeted.

• Individuals responsible for handling wire transfers within a specific business are targeted.

• Spoofed e-mails very closely mimic a legitimate e-mail request.

• Hacked e-mails often occur with a personal e-mail account.

• Fraudulent e-mail requests for a wire transfer are well-worded, specific to the business being victimized, and do not raise suspicions to the legitimacy of the request.

• The phrases “code to admin expenses” or “urgent wire transfer” were reported by victims in some of the fraudulent e-mail requests.

• The amount of the fraudulent wire transfer request is business-specific; therefore, dollar amounts requested are similar to normal business transaction amounts so as to not raise doubt.

• Fraudulent e-mails received have coincided with business travel dates for executives whose e-mails were spoofed.

• Victims report that IP addresses frequently trace back to free domain registrars.

self protection strategies 

• Avoid free web-based e-mail accounts: Establish a company domain name and use it to establish company e-mail accounts in lieu of free, web-based accounts.

• Be careful what is posted to social media and company websites, especially job duties/descriptions, hierarchal information, and out of office details.

• Be suspicious of requests for secrecy or pressure to take action quickly.

• Consider additional IT and financial security procedures, including the implementation of a 2-step verification process.

• Establish other communication channels, such as telephone calls, to verify significant transactions. Arrange this second-factor authentication early in the relationship and outside the e-mail environment to avoid interception by a hacker.

• Digital Signatures: Both entities on each side of a transaction should utilize digital signatures. This will not work with web-based e-mail accounts. Additionally, some countries ban or limit the use of encryption.

• Delete Spam: Immediately report and delete unsolicited e-mail (spam) from unknown parties. DO NOT open spam e-mail, click on links in the e-mail, or open attachments. These often contain malware that will give subjects access to your computer system.

• Forward vs. Reply: Do not use the “Reply” option to respond to any business e-mails. Instead, use the “Forward” option and either type in the correct e-mail address or select it from the e-mail address book to ensure the intended recipient’s correct e-mail address is used.

• Consider implementing Two Factor Authentication (TFA) for corporate e-mail accounts. TFA mitigates the threat of a subject gaining access to an employee’s e-mail account through a compromised password by requiring two pieces of information to login: something you know (a password) and something you have (such as a dynamic PIN or code).

The victims of the BEC scam range from small businesses to large corporations. The victims continue to deal in a wide variety of goods and services, indicating a specific sector does not seem to be targeted.

It is largely unknown how victims are selected; however, the subjects monitor and study their selected victims using social engineering techniques prior to initiating the BEC scam. The subjects are able to accurately identify the individuals and protocols necessary to perform wire transfers within a specific business environment. Victims may also first receive “phishing” e-mails requesting additional details regarding the business or individual being targeted (name, travel dates, etc.).

source and further information: Internet Crime and Compliance Center (IC3)