Business Email Compromise (BEC) is a more specific form of Email Account Compromise (EAC). Email accounts can be compromised by guessing email credentials, obtaining access by the interception of email credentials, encryption keys, or gaining email account information via social engineering. In some cases, the email account is not compromised, only impersonated with a similar username and domain. Criminals use information about the email account to impersonate the rightful user or to intercept 
email exchanges about monetary transactions. When impersonating the rightful user, the criminals send an invoice along with payment instructions for a wire transfer that is paid to the fraudster entity, not the trusted supplier or business partner. This type of scam is also called “Bogus Invoice Scheme,” “Supplier Swindle,” and “Invoice Modification Scheme.” In the case of intercepted email transmissions, the criminals wait until payment is discussed and then supersede the correct payment instructions with those for an account used by the criminals. This is also known as “Man-in-the-Email” (MitE), a type of Man-in-the-Middle (MitM) technique. When such techniques target or impersonate company executives, they are also called: “CEO Fraud,” “Whaling” (if done via email and targeting company VIPs), “Business Executive Scam,” “Masquerading,” and “Financial Industry Wire Fraud” (when an impersonator of the company executive sends wire instructions directly to a financial institution or the financial institution is impersonated sending instructions to the company executive).
A separate form of related fraud occurs when business executives are impersonated to persuade or coerce another
employee of the company to make a wire transfer payment to an account used by criminals. These scams typically involve phone calls in addition to emails and some feigned emergency is presented to prevent the employee from following proper procedures and obtaining appropriate authorizations before initiating the wire transfer. In some cases, the CEO or other executive’s email account may also be compromised or impersonated. This type of scheme is enhanced when an employee’s personal email becomes compromised (or is spoofed or impersonated) to request invoice payments to fraudster-controlled bank accounts destined for multiple vendors identified from the employee’s contact list. This scheme happens most often when personal email accounts are used for both professional and personal business.
In addition to impersonating company executives and suppliers, fraudsters may also impersonate an attorney or law firm. The FBI describes this scenario: “Victims report being contacted by fraudsters who typically identify themselves as lawyers or representatives of law firms and claim to be handling confidential or time-sensitive matters. This contact may be made via either phone or e-mail. Victims may be pressured by the fraudster to act quickly or secretly in handling the transfer of funds. This type of BEC scam may occur at the end of the business day or work week and be timed to coincide with the close of business of international financial institutions.”
On 04 May, the FBI published a Public Service Announcement further elaborating on BEC, “The 5 Billion Dollar Scam,” providing additional background, statistics, and scenarios that a business may find themselves experiencing, as well as other useful information. It is important to understand these threats, and the tactics criminals may use to steal and otherwise harm your organization. Further, organizations should consider preparedness – developing the plans and procedures, conducting the training and exercises, and other appropriate steps – to ensure your personnel and organization are ready for BEC and other risk concerns.
Gate 15 provides intelligence and threat information to inform routine situational awareness, preparedness planning, and to penetrate the decision-making cycle to help inform time-sensitive decisions effecting operations, security, and resources. We provide clients with routine cyber and physical security products tailored to the individual client’s interests. Such products include relevant analysis, assessments, and mitigation strategies on a variety of topics.
This blog post was written by Kristi Horton, Gate 15’s Senior Risk Analyst for Cyber Intelligence and Analysis. Kristi provides expert threat and risk analysis for internal activities and client needs, where she is able to lend her expertise to support client preparedness requirements and specialized technical areas such as forensics investigations and legal support.
Additional Resources on the topic of BEC:
- https://www.ic3.gov/media/2017/170504.aspx
- https://isc.sans.edu/forums/diary/Realtors+Be+Aware+You+Are+a+Target/21911/
- https://www.fbi.gov/news/stories/business-e-mail-compromise
- https://www.aicpa.org/InterestAreas/ForensicAndValuation/Resources/FraudPreventionDetectionResponse/DownloadableDocuments/fvs-eye-on-fraud-newsletter-summer-2016.pdf
- http://www.fsroundtable.org/business-email-compromise-costing-its-victims-millions-simple-tips-can-help-foil-fraudsters/
- https://krebsonsecurity.com/tag/business-email-compromise/
- https://krebsonsecurity.com/2017/04/blind-trust-in-email-could-cost-you-your-home/
- http://www.rpost.com/blog/business-email-compromise-bec-industry-examples/
- https://www.linkedin.com/pulse/realtors-brokers-title-companies-beware-email-hack-wire-ali-egeli
- https://www.atgf.com/underwriting/news/reduce-your-exposure-wire-fraud
- http://guardiananalytics.com/wp-content/uploads/2016/06/FraudUpdate_BusinessEmailCompromiseScam.pdf
- http://realtormag.realtor.org/daily-news/2016/04/07/how-scammers-hack-your-transactions
- http://realtormag.realtor.org/daily-news/2016/12/30/how-protect-your-clients-from-hackers
- http://realtormag.realtor.org/daily-news/2017/01/11/security-firm-issues-fraud-warning-agents
- https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2016-a003
