Business Email Compromise, or simply BEC, is a scam that business people of any prominence can experience. 

Recently though this fraud hit the popular Barbara Corcoran, one of the five judges of the “Shark Tank” TV show. While the celebrity wasn’t managing the email correspondence herself, she still lost $388,700. 

The BEC scam actually ran through Corcoran’s bookkeeper, who received an invoice from a scammer, who posed as the personal assistant of the businesswoman. The invoice asked the funds to be transferred to a FFH CONCEPT GmbH company, on a German-based bank account. 

The request seemed genuine, as Barbara Corcoran constantly invests in real estate renovations.

BEC Email Spoofed The Address Of The Real Assistant

The bookkeeper didn’t notice anything suspicious, failing to spot any signs of spoofing.

“Spoofing – a technique used in phishing attacks to boost their trustworthiness where the threat actor impersonates a credible entity.” – The Art of Email Security.

As it was reported, scammers emailed the bookkeeper from the address that looked close to the address of the executive assistant, but was still altered. Unlike the media giants claim, it wasn’t phishing. Phishing attacks take your credentials most of the time, or lure you to interact with malicious attachments, which is not the case here.

While phishing can be a part of the BEC scam, it wasn’t used in this situation.

Most likely, scammers discovered emails of both bookkeeper and executive assistant through a compromised third party, who also interacted with them before, or infected an open email relay. At the end of the day, the money was gone, and the real assistant found out about this operation only after getting a new email from the bookkeeper, confirming the wire transfer.

Sadly, screenshots provided by TMZ do not tell the whole story, as we only got to see emails that lead to the wire transfer. Still, that’s why these days companies have automatic marking for external emails, to avoid situations like this one.

Of course, you can’t stop BEC only relying on markings. To find out more about proactive measures that should be taken to reduce the chance of this fraud catching you, please review my blog post called “The Annual PSA From The FBI: Three More Letters That Stand Behind A $26 Billion Scam”.

No Money BEC, But No Sleep Lost

“The scammer disappeared and I’m told that it’s a common practice, and I won’t be getting the money back. I was upset at first, but then remembered it was only money,” shares Corcoran.

It’s good to see someone react to this scam so light-heartedly, but why is it a common practice to say goodbye to your money after you have experienced a BEC scam?

Well, hackers are not careless enough to give their personal credentials to get the stolen money. 

Instead the swindled funds first go through a bunch of money “mules” - compromised accounts of innocent businesses, or people desperate for a job, who are willing to pass the money through their own accounts for a cut. Such workers often don’t realize that they are covering up for the criminals. 

Sometimes stolen funds are converted into gift cards that get spent immediately, or sold on to someone else. Catching the criminal in this case becomes problematic, or nearly impossible, if the wrongdoing is discovered days after the transfer.

To read more about money mules, I recommend you to look at the article “Inside ‘Evil Corp’ a $100M Cybercrime Menace” written by Brian Krebs.

Business Email Compromise is rampant, it comes in different forms, and targets businesses of all sizes. BEC is a pain you don’t want to experience yourself, so please be careful working with receipts, and don’t rely solely on email to perform this task.