September 25, 2019

The Annual PSA From The FBI: Three More Letters That Stand Behind A $26 Billion Scam

Blog Business Email Compromise

You don’t have to be in love with math to feel for the numbers, especially when they “go south”. 

Money going from corporate accounts straight to criminals through Business Email Compromise attacks are not as rare as you may think. 

Since the Internet Crime Complaint Center (IC3) started tracking this scam in October 2013, the numbers kept getting uglier. 

Here are just three of the latest public service announcements: 

May 04, 2017 - “Business Email Compromise the $5 billion scam” [1]

July 12, 2018 - “Business Email Compromise the $12 billion scam” [2]

September 10, 2019 - “Business Email Compromise the $26 billion scam” [3]

Such messages are designed to inform the potential targets and educate them, rather than suggest a solution to the problem. 

FBI has provided some recommendations on how to mitigate the threat, but even though that information is useful, it needs to be complemented by additional comments.

And before we even get down to the methods of BEC identification and prevention, we need to clear up some details about the scam in question.

A Confusing Alliance Of BEC/EAC - What’s The Difference? 

The first thing to clear up about the potential hazard is its name. 

When we see one abbreviation, we often catch another one - EAC or Email Account Compromise. Business Email Compromise and Email Account Compromise concepts are related, but they are not the same thing, even though IC3 tracks these scams as a single crime type.

To explain it, let’s define the Business Email Compromise.

Business Email Compromise or BEC is an email scam targeting businesses that usually work with foreign suppliers or make regular wire transfers.”

BEC has taken many forms, but often uses two attack methods: email spoofing or access to the corporate email account.


Method #1 - Spoofing Of The Trusted Source 

Email spoofing is a technique used in phishing attacks to boost the trustworthiness of the threat actor by impersonating a credible entity. 

For example, an executive of own or parent company, in what is also called a CEO fraud

In the CEO fraud scammers design their trap to look like an urgent message from the executive, asking employees with financial control to transfer corporate funds to a company from another country (so it would be harder to trail the transaction). 

Pressured by the request from their "management", targets often proceed with the request. To make the attack less obvious, CEO fraud relies more on spoofing to raise fewer red flags. 

If the account of the executive is compromised directly, there would be less need to involve the intermediaries and more valuable data up for grabs. 

One of the better cases to describe the CEO Fraud happened this year, and it involved an Indian unit of Tecnimont SpA - an Italian group in the engineering and main contracting sector.

Spoofing becomes possible because there’s no address authentication mechanism in the Simple Mail Transfer Protocol (SMTP). 

Because of that, attackers can send a trustworthy-looking email that the victim will react to, as it looks like it comes from a known, trusted or influential source.


Method #2 - Direct Email Compromise

Now, the second method of persuading the company to transfer funds is to compromise an account and not masquerade as one. 

That’s what Email Account Compromise is for.

It targets individuals and not businesses to start a fraudulent money transfer. 

Criminals research the individuals to execute a spear-phishing attack to get sensitive information, learn corporate habits or to monitor how they conduct financial transactions.

But it’s not all phishing.

Email Account Compromise can also be achieved by brute force attacks or by infecting the user with malware that harvests login credentials. 

Email Account Compromise can act as a starting point of a Business Email Compromise attack, but it is not an obligatory direction to take. 


A Fairly New Attack That Helps To Understand The Distinction

Let’s review a payroll scam to understand the difference.

In the payroll scam, instead of the urgent message demanding a wire transfer, the scammer compromises a corporate account of a regular employee. 

This access allows the attacker to intercept the invoice and change payment instructions to own credentials. In this method, attackers do not use social engineering as in the second approach.

If the scammer does not compromise an account, the adversary can still succeed by asking the unaware accountant or HR to change the banking details, as if the target had some banking changes and requested the data to be updated. 

Needless to say, the request comes from the account of the targeted employee. 

Payroll scam is not harming the company nearly as much as the CEO fraud, but it still falls into the category of Business Email Compromise attacks.

It’s easy to get confused in all the terms and technicalities, but one thing is for sure - email attacks on the corporate sector are happening and will not stop.


281 BEC Operators Cuffed In Operation reWired

On September 10, 2019, the FBI announced the arrest of 281 criminals taking part in BEC scams. 

As the report suggests, arrests happened in the United States, Nigeria, Turkey, Ghana, France, Italy, Japan, Kenya, Malaysia, and the United Kingdom. 

The scam was reported in 177 countries, with the most popular banks for fraudulent transfers being from China and Hong Kong.

We can consider an operation to be a moderate success, as it enabled a seizure of nearly $3.7 million and recovery of approximately $118 million in fraudulent wire transfers.

It’s not much, but this work still counts. 

Even though the FBI dedicates months to bust such criminal activities, we can only rely on ourselves to mitigate the threat of BEC scams and suppress the threat in its infancy.


This Is Your Wake-Up Call

Fear causes hesitation, and hesitation will cause your worst fears to come true.”

You may not be Bodhi, I may not be an FBI agent, but this is wild.

Before the start of the article, I could also quote Ben Harp…

You know nothing. In fact, you know less than nothing. If you knew that you knew nothing, then that would be something, but you don’t.”

But now this is not true. You know about the threat. We provided you with evidence of its existence, and you can even differentiate how adaptive this scam can be. But you still don’t have enough information to leave the situation as it is. In the public service announcement, we could see the tips given to prevent monetary losses.

  • Two-factor authentication on all accounts is crucial.
  • Always check email addresses - it can give out a spoofer.
  • Keep the attention level high when checking email URLs too.
  • Verify the validity of transfer request through secondary channels.
  • Do not disclose login credentials or personal data in emails.
  • Keep software up to date, patch it carefully.
  • Monitor financial accounts regularly.

That’s solid advice and enough little pointers to decrease the risk of Business Email Compromise, but as practice shows, education alone is not the answer to this problem. 

An email security solution may be necessary to make it harder for your employees to make a hefty mistake.


Why StealthMail Is Ideal For BEC Threats Prevention?

As we revised a lot of material already and highlighted enough problems, it wouldn’t be the best time to pretty up our solution for too long.

Because of that, we can offer you 7 reasons that will speak louder than thousands of words. 

  1. Device fingerprinting ensures criminals cannot access compromised accounts to send malicious emails. It also prevents employees from using unauthorized devices.
  2. Both the sender and the recipient are verified by multi-factor verification to address any impersonation concerns.
  3. Data always stays within a secure corporate cloud, making it impossible to eavesdrop or gather information over email to craft a BEC attack on the organization. 
  4. StealthTalk encrypts data on the device, in use, at rest, or in transit to rule out the possibility of MITM-type attack. 
  5. Exclusive control over encryption keys allows the organization to deploy the encryption key server at its facility. Neither StealthMail, nor Microsoft, or any other third-party can decrypt and read secure emails.
  6. No changes to the existing IT infrastructure are needed to deploy StealthMail. The organization and employees can continue using Outlook and their email addresses to exchange secure emails.
  7. No integration is required and the StealthMail solution can be deployed in four hours.

If you want to learn more about StealthMail features, types of encryption used, system requirements, and how it all works together to help you prevent BEC, then you can download StealthMail Datasheet for free today. 

To summarize, the BEC threat is running rampant and it sweeps not only the biggest corporations, but people with the biggest targets on their backs.

My blog couldn't proceed your request right now.

Please try again a bit later.

Thank you for contacting me!

I will get back to you as soon as I can.

Contact me


My blog couldn't proceed your request right now.

Please try again a bit later.

Thank you for subscribing!

I added you to my emailing list. Will let you know as soon as I have something interesting.

Subscribe for email updates