What is a BEC scam?

Cyber-criminals are like every businessman: they want maximum profit for minimum investment. A recent trend amongst hackers to help achieve this goal is Business Email Compromise (BEC) also known as “CEO Fraud”. This type of CEO scam is very profitable since it only needs to be successful a few times to be highly cost-effective for the criminals.

Instead of spending hours sending phishing emails to numerous random email addresses (making them more easily identifiable as spam, and less successful), nowadays, cyber-criminals first do their research before launching an attack. They select the business on which to launch a BEC attack, then use social engineering to find out who the CEO and CFO are (ensuring they have their exact names), and decide who their victim will be within the business. They will usually select someone in the finance department who manages money, or select a senior staff member, a company attorney, a trusted vendor etc… The cyber-criminals then send a fraudulent email, impersonating the CEO or CFO, and try to trick their victim into initiating one or more wire transfers.

A successful BEC attack results in successful intrusion into the victim’s business systems, unrestricted access to the victim’s employee credentials, and substantial or massive financial loss for the company.

Our experts’ explanation

Hackers will use several simple, but highly effective tricks to avoid raising suspicions, and to ensure that their victims act as fast as possible, without a second thought or further verification:

  • Spoofing or typosquatting legitimate email addresses, using a domain similar to the targeted business’ actual domain.
  • Using an urgent tone, requesting that the funds transfer is done “ASAP”.
  • Stating in the fake email that the CEO or CFO is in a meeting and that they cannot be disturbed during the meeting by email exchanges or phone calls.
  • Implying that the sender is using a device to write the email, by using the well-known and frequently-used phrase “Sent from my iPad”, in lieu of the corporate email signature.
    • Note: This trick is particularly effective, because implying that the email is sent from a mobile device excuses any poor English, misspelling, or lack of a legitimate email signature, which are usually triggers to recognise phishing emails. It also helps strengthen the sense of urgency: if it wasn’t pressing, the sender would have waited until he was back at his desk. Hackers might also use social engineering to find out when the executives are travelling for business, making their scam even more credible to their victim.
  • Cyber-criminals will make sure they request a legitimate-looking amount for the wire transfer, to avoid raising suspicion; insight they would have gathered during their social engineering research.

Who are the targeted victims?

Victims are not limited to a certain business type: hackers are targeting medium and large corporations, small businesses, not-for-profit organizations, etc… They always have one characteristic in common: the victim’s business must work with foreign suppliers and/or regularly use wire transfer payments.

Why does it work?

Phishers rely on the “fear of the boss” mentality: all employees want to be effective at their job, and they probably won’t decline an order coming directly from potentially the most important person within their company. Employees usually feel obligated to comply with anything their CEO requests, and that is what cyber-criminals put their money on.

The sense of urgency is also critical for these CEO scams to work. Since the recipient of the email feels like it’s an urgent matter and that he can’t reach his boss for a second approval of the transfer, the targeted employee will almost certainly fall for the BEC scam.

Facts and figures

The FBI released these enlightening facts and figures earlier this year:

  • BEC scams have been seen in every U.S. state and in at least 79 countries.
  • From October 2013 through to February 2016, more than 17,500 people fell victim to a BEC scam.
  • The total loss exceeded $2.3 billion USD.
  • Since January 2015, the FBI has seen a 270% increase in identified victims and exposed loss.

How to prevent falling for BEC scams

FraudWatch International recommends that businesses follow the below tips to avoid falling victim to a BEC scam:

  • Educate your employees
    • Have them monitor email addresses in their inboxes, to avoid spoofing or typosquatting.
    • Teach them to always question any emails requesting fast actions, whether they seem unusual or not; especially if the request is not following normal procedures.
    • Advise them to make a phone call to verify the legitimacy of a business partner or supplier
  • Use two-factor or multi-level authentication for initiating wire transfers.