Business Email Compromise (BEC) happens when someone receives an email supposedly from their companies’ CFO, CEO or even their manager asking them to make a payment to a vendor account. It is also known as “fake CEO” fraud. In this type of fraud, the person making the payment is socially engineered to make a fraudulent payment.
If you already know what BEC is and want to know how to protect yourself or your organization, click here.
As an attack vector, this is exploding into a huge problem and the attacks can result in huge losses, mostly to corporations. The amounts available to the average individual are nothing compared to the average corporation. There have been quite a few huge attacks in the last few months that have resulted in large amounts of funds being redirected to fraudulent accounts.
The FBI has released stats that show a 270% increase in BEC attacks with actual losses since January 2015.
There are a few variations to BEC attacks. The first scenario is when an email is received from a superior or a person in authority. This could be the CFO or CEO of the company seeming to ask an employee to make a payment or to change the account information. Another scenario is when a vendor supposedly sends an email asking that the account number be changed since they have changed banks or some other reason. Any payments that are made to the vendor then get sent to the fraudster’s account. Instead of emails, phone calls (Vishing) or text messages (Smishing) are also prevalent.
The email itself can come from a hacked account or more possibly, a domain that looks very similar to the original domain name. For instance, instead of email@example.com, it could come from firstname.lastname@example.org. The “r” and “n” next to each other look like an “m” (depending on the font used). In some cases, the domain may not even look like the original. If the recipient of the emails went ahead and made the payment, the fraudster would typically make off with the money before the victim realized the fraud.
The problem for financial institutions is that it is the authorized user making the payment. There is not much they can do to stop fraudulent payments, or even identify a fraudulent payment (there are some exceptions). Standard authentication methods such as 2 Factor Authentication (2FA) do not work since it is the authorized user making the payment. It is up to the customer, the person making the payment, to ensure that they are making a valid payment.
Once a fraudulent payment is made, time is critical. The earlier customers reach out to their financial institution and report the fraud, the better the chances of recovering funds. However, if the fraud is not detected within a day (usually), in most cases the chances of recovery diminish drastically. The fraudster will take the payment out of the beneficiary account and be gone to spend his/her ill-gotten money.
The other issue that is material to the success of this type of fraudulent activity is the payment recipient’s financial institution and where the beneficiary account is located. In some countries, the rules and regulations are not suited to recovering the funds. Some financial institutions are more responsive than others to a stop payment request.
These issues make prevention the best solution, rather than chasing after the funds after a fraudulent payment is made.
So, how can this type of attack be prevented?
There are different kinds of controls that can be utilized. The problem is that the best and most effective controls need to be implemented by the customers, not the financial institution.
- Implement a verifying process for all emailed instructions. This could be accomplished by
- A call back to the source of the email using a known phone number. Never call the number that is in the email itself.
- Use of digital signatures to attest to the authenticity of the person requesting the payment. Keep in mind that this control will not work if your email system itself is compromised or an account/user within your system is compromised.
Note that emailed instructions can followed up by the fraudster with a phone call to check on the status of the payments or more urgent instructions to get the payment made. The more urgent these requests for payment, the more wary you should be.
- Set up your email servers so that email from external sources that claim to be from your domain sre blocked
- Use the SPF record in your DNS entry to state which email servers are allowed to send email for your domain.
- Set up your email server to verify SPF records for all the emails it receives.
- Use DKIM and DMARC to detect and prevent email spoofing. You can set these even if you use an external provider to manage your email (eg. Gmail for business or Office 365)
- If your email system was compromised (rather than the fraudster setting up a similar looking domain), immediately lock the accounts or change the passwords to contain the damage. Then do the investigation of how the compromise occurred.
- Set up your email servers to flag all emails originating from outside of your organization. You can add a prefix that says “EXTERNAL” to the subject of the email or add a message at the top of the email body that states that the message originated externally.
- Have the contact information of the Relationship Manager at your bank handy. You must also keep the phone numbers and email addresses of the bank fraud department or their help desk handy. In the event that a fraudulent payment is made, your first call should be to the bank to stop the funds leaving your bank. Once the money leaves your financial institution, the chances of funds recovery drop like a rock. If there is even an iota of doubt regarding a payment, stop the payment. Another payment can always be made if the doubt was unjustified.
- Check if your financial institution provides a dual transaction control mechanism, and if they do, enable it. This will require one user to create a payment and another to authorize the payment.
- For this control to be effective, ideally, the payment creator and the authorizer should not be in a supervisor/subordinate relationship. However, this cannot be the case for a CEO, CFO or a similar senior role. All payment creators, regardless of position within the organization, must be empowered and encouraged to verify the authenticity of the payment instruction. Additionally, the authorizer must verify the payment details, including the beneficiary before approving the payment.
- Having a maker/checker control in your online banking provides precious time and an opportunity to prevent fraud. The authorizer can stop the fraud without having to call the bank by just rejecting the payment or just not approving it until the authenticity of the payment is established..
- Check if your financial institution allows you to set daily transaction limits or even limits for individual transactions for users of their online payments system. If they do, set these to values that are within your risk appetite. Different users may have different limits. In the event of fraudulent payments being made, the limits will contain the damage and not empty your accounts all in one go.
- Be suspicious of all changes to account information. Fraudsters usually send an invoice from a known vendor to a victim and then contact them to change just the beneficiary account information. Validate changes to beneficiary bank account information, before you make them, with your vendor or 3rd party by using a different channel (out of band such as phone). Always use the information from your records and do not rely on information in the email or what the fraudster says.
There are a few other steps financial institutions can take. However, that is a topic for another post. As mentioned earlier, the most effective controls for BEC are in the hands of the businesses and customers of the financial institutions.