If you were about to spend more than a million dollars, how careful would you be about where you sent the money?
More importantly, how would you check with the recipient of the money – and how would they check with you – that both ends of the transaction were lined up correctly, with no treachery in between?
It’s quite likely you’d have been emailing them back and forth for some time, negotiating the deal, agreeing terms and finalising payment…
…and therefore it’s quite likely that you’d email each other one last time before it all went through.
And if there were a last-minute change in payment details, you might be really relieved to hear about that, especially if the deal were time-critical, like a house purchase, a stock offer…
…or a £1,000,000 payment as part of a player transfer in the English Premier League – the richest soccer competition in the world, and the most-watched sports franchise on the planet. (Probably, although NFL, NHL, MLB and IPL fans may wish to disagree.)
After all, transfer windows are short, and transfer negotiations are complicated, so a payment that failed to go through at the last step could ruin a deal that had been months in the offing.
Well, according to a report entitled The Cyber Threat to Sports Organisations, released today by the UK’s National Cyber Security Centre, that almost happened, except that the new account number was fraudulent and rather than saving the deal at the last minute, the club would have lost the lot.
Apparently, one of the UK’s top football clubs – the report doesn’t say which one – almost paid out £1m ($1.25m) to crooks after a genuine-looking but fraudulent email convinced the club to nominate a new account to receive the funds.
Fortunately, the club’s bank flagged the transaction as suspicious, provoking further investigation and uncovering the scam.
As you can probably guess, that scam was what’s known as BEC, short for business email compromise.
BEC is something of a special category in the world of online crime – in fact, it’s probably better to refer to it as ‘internet-enabled crime’ than simply as cybercrime.
The criminals behind it don’t have to be programming wizards or malware authors; they don’t need elite hacking or exploit creating skills; and they don’t need the know-how to carry out network intrusions, lateral movements and so on.
What they do have is patience, persistence, self-belief and what you might call sociopathic-level skills in social engineering.
In old-school terminology, you’d call them confidence tricksters, though they are generally using the internet to manipulate victims, not their in-person charisma.
The basic idea behind BEC crime is surprisingly simple: get hold of the email password of someone of importance in the organisation, read all their email before they do, learn how they operate, find out what the company is up to and learn when big payments are coming up, in or out…
…and then take on the persona of the employee whose email was compromised in order to misdirect other employees, as well as creditors and debtors.
Thus the name business mail compromise, sometimes called CEO fraud or CFO fraud because those are the staff members whose email accounts typically deliver the most dramatic results for the crooks.
We try to avoid the terms CEO fraud and CFO fraud these days because those names wrongly imply that BEC depends specifically on the CEO or CFO getting hacked, and therefore if their accounts are intact, the company is safe. Many organisations don’t even use the job titles CEO and CFO, yet they too are at risk of exactly this sort of fraud.
As you can imagine, the typical corporate manipulation performed by BEC crooks is to get debtors to pay outstanding invoices into “new” bank accounts that belong to the criminal gang, or to instruct staff inside the company to pay outgoing invoices to phoney accounts instead of to genuine creditors, thus stealing money from both sides of the balance sheet.
BEC criminals use technology to help them misdirect humans, and once they have their operation running inside a company, they aim to keep the midirection going for as long as possible by mixing social engineering skills with their insider knowledge.
If a crook is inside your email, remember that they can not only send emails in your name, they can also: delete those emails from your outbox so you don’t even see they were sent; intercept and remove or modify any replies from colleagues who become suspicious and ask questions; mollify others in the company who are trying to raise the alarm; and threaten those who try to get in the way.
What to do?
Of course, this raises the tricky question, “If a crook has already snuck in, got into someone’s email, and is lying low looking for a chance to swindle the whole company, how on earth do you spot the fake emails that shoudln’t be there amongst all the real ones that are still flowing normally?”
Here are six tips to help you detect and prevent this sort of corporate manipulation:
- Turn on two-factor authentication (2FA) so that a password alone is not enough to access your accounts, especially email. Remember that your email account is probably the key to resetting passwords on many of your other accounts, including ones you use at work and at home.
- Look for features in your service providers’ products that can warn you when anomalies occur. Access monitoring tools help to detect logins that come from unusual places, or network activity that doesn’t fit your usual pattern. This can help you flush out crooks who have wriggled into your network or your email account. Talk to your bank about how they can add another layer of scam detection, too.
- Enforce a two-step (or more) process for making significant changes to accounts or service, especially changes in details for outgoing payments. Don’t just rely on simple “manager approval” click-throughs – implement independent checks by different teams, working in separate departments, looking for different indicators of scamminess.
- If you see anything that doesn’t look right in an email demanding your attention, assume you are being targeted. Crooks who try to impersonate your CEO or CFO might not make any mistakes, but often they do. Don’t let the crooks get away with slip-ups such as spelling mistakes or unlikely errors that ought to give them away. As carpenters like to say, “Measure twice, cut once.”
- If you want to check details with another company based on an email, especially when money is involved, never rely on contact data provided in the email. Find your own way to get hold of the other party using a different form of communication, for example using a phone number on printed documents that you already have.
- Consider using internal training tools to teach your staff about scams. In the football club case above, the crooks phished the CEO’s password using a fake Office 365 login page. Tools such as Sophos Phish Threat can test staff behaviour safely so that they can make their mistakes when it doesn’t actually matter, rather than when the crooks come calling.
By the way, if you’re wondering how much money is involved in BEC criminality, take a look at the story behind the recent arrest of an alleged BEC scammer in the USA who went by the name “Hushpuppi.”
Don’t let it happen to you!
Ron
Fantastic article Paul! I wrote about BEC for work some months back…I didn’t know about it as much as I do now and I must say…it’s quite the nasty phish. Heck even Email Account Compromise scams…instead of targeting businesses, they pursue people making large transactions such as home buyers…basically having the buyer think they are paying for the house but instead send the money off to the scammer. It’s eye opening for all the risk out there.
Paul Ducklin
It’s also a double-ended attack because if *you* get becced, your *customers* can be attacked by receiving an email from “you” to steal *their* money by paying it in to a new account that “you” told them to use.
I’ve heard of a case where both sides only realised the fraud when the company that had been hacked passed their “delinquent debtor” customer, thinking they had made on pyments, to a debt collector, who started hammering the customer for the unpaid accounts. As you can image, this caused great hurt and resentment on all sides, especially the customer’s! (Not sure who is liable in that sort of situation. I guess the hacked company would be expected to make good the unpaid debts by wiping them out because the customer acted in perfectly good faith.)
Pike
It does happen ..
https://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=12344399
El. Mich.
“Nice” story! As i did not really know the carpenter’s aphorism of “Measure twice cut once” i would like to add a little addendum we know in Germany, sorry for the not so really good translation: “Been (or having) cut twice and still too short!”
In general it would be great if people finally learned that You can have either a high level of security, not only relating to IT, or You can have a great level of “comfort”, but You can definitely not have both at the same time! Period! It’s just that simple though lots of vendors of security products like to claim otherwise for obvious reasons.
Reminds me of a customer i had (some 20 years ago) where i was responsible for large but unfortunately not all parts of the IT as an external freelancer. Firewall system i had chosen and implemented worked well but one of the two “CEOs” at that time for some ridiculous reason had wanted and let implement by some other contractor a direct way past the firewall to the general network to his personal PC by direct dial-in connection. After some months the company finally found out that this special PC was the way in for crooks that had caused five-digit damages by remote dialing of extremely expensive 0190- or 0900-telephone numbers respectively. Luckily enough for all employees it was on of the two chiefs that had caused these damages just for some definitely not really needed additional comfort for another contractor that did not discuss his implemented measures with me. And luckily enough for me too the CEO was honest enough to admit that it was solely his dam… mistake and not mine or anyone elses.
Thanks Paul for Your work and keep up the good work! :-) And pls. do have nice weekend too! :-)
Paul Ducklin
Thanks, I appreciate the kind words!
Christophe Dary
Using DMARC protocole to prevent email impersonation is not part of your advices to prevent BEC fraud?
Paul Ducklin
As the name suggests, BEC implies that the crooks *have already compromised your email*, so that the emails that get sent out to trick people *actually do come from your account*. The content of the emails is fake but the source of the emails is not, so they pass tests such as SPF and DMARC because they come from the right place.