Business Email Compromise (BEC) happens when someone receives an email supposedly from their companies CFO, CEO or even their manager asking them to make a payment to a vendor account. It is also known as “fake CEO” fraud. In this type of fraud, the person making the payment is socially engineered to make a fraudulent payment.
As an attack vector, this is exploding into a huge problem and the attacks can result in huge losses, mostly to corporations. The amounts available to the average individual are nothing compared to the average corporation. There have been quite a few huge attacks in the last few months that have resulted in large amounts of funds being redirected to fraudulent accounts.
The FBI has released stats that show a 270% increase in BEC attacks with actual losses since January 2015.
There are a few variations to BEC attacks. The first scenario is when an email is received from a superior or a person in authority. This could be the CFO or CEO of the company seeming to ask an employee to make a payment or to change the account information. Another scenario is when a vendor supposedly sends an email asking that the account number be changed since they have changed banks or some other reason. Any payments that are made to the vendor then get sent to the fraudster’s account.
The email itself can come from a hacked account or more possibly, a domain that looks very similar to the original domain name. For instance, instead of firstname.lastname@example.org, it could come from email@example.com. The “r” and “n” next to each other look like an “m” (depending on the font used). In some cases, the domain may not even look like the original. If the recipient of the emails went ahead and made the payment, the fraudster would typically make off with the money before the victim realized the fraud.
The problem for financial institutions is that it is the authorized user making the payment. There is not much they can do to stop fraudulent payments, or even identify a fraudulent payment (there are some exceptions). Standard authentication methods such as 2 Factor Authentication (2FA) do not work since it is the authorized user making the payment. It is up to the customer, the person making the payment, to ensure that they are making a valid payment.
Once a fraudulent payment is made, time is critical. The earlier customers reach out to their financial institution and report the fraud, the better the chances of recovering funds. However, if the fraud is not detected within a day (usually), in most cases the chances of recovery diminish drastically. The fraudster will take the payment out of the beneficiary account and be gone to spend his/her ill-gotten money.
The other issue that is material to the success of this type of fraudulent activity is the payment recipient’s financial institution and where the beneficiary account is located. In some countries, the rules and regulations are not suited to recovering the funds. Some financial institutions are more responsive than others to a stop payment request.
These issues make prevention the best solution, rather than chasing after the funds after a fraudulent payment is made.
So, how can this type of attack be prevented? There are different kinds of controls that can be utilized. The problem is that the best and most effective controls need to be implemented by the customers, not the financial institution.
- Implement a verifying process for all emailed instructions. This could be accomplished by
- A call back to the source of the email using a known phone number. Never call the number that is in the email itself.
- Use of digital signatures to attest to the authenticity of the person requesting the payment. Keep in mind that this control will not work if your email system itself is compromised or an account/user within your system is compromised.
Note that emailed instructions can followed up with phone call to check on the status of the payments or more urgent instructions to get the payment made. The more urgent these requests for payment, the more wary you should be.
- Set up you email servers so that email from external sources that claim to be from your domain
- Use the SPF record in your DNS entry to state which email servers are allowed to send email for your domain.
- Set up your email server to verify SPF records for all the emails it receives.
- Check if your financial institution provides a dual transaction control mechanism. This will require one user to create a payment and another to authorize the payment.
- This control will only work if the creator and the authorizer are not in a supervisor/subordinate relationship. Additionally, the authorizer must verify that the recipient of the payment is verified.
- Be suspicious of all changes to account information. Fraudsters usually send an invoice from a known vendor to a victim and then contact them to change just the beneficiary account information.
There are some measures that financial institutions can take. However, I wish to mention only 2 of these, without going into too much detail.
- They should share known fraudulent beneficiary account information. Currently, each institution has its own database. So, the same beneficiary account can be used to con people using different institutions, at least until the financial institution that the beneficiary account belongs to wises up and blocks the account.
If a check is made to a shared database before a payment is made, then the chances of multiple instances of fraud are minimized.
- Account opening procedures need to be tightened. However, the use of mule accounts (where a regular person is co-opted into the fraud scheme to move money around) will get around that. The consequences for mules need to be significant enough to be a deterrent.
There are a few other steps financial institutions can take. However, that is a topic for another post. As mentioned earlier, the most effective controls for BEC are in the hands of the businesses and customers of the financial institutions.