Connect with us

Hi, what are you looking for?


Email Security

The Alarming Numbers Behind Business Email Compromise Scams

$2.3 billion stolen from 17,642 victims in at least 79 countries. These are the current figures for the growing scourge known as business email compromise (BEC) from 2013 to 2015.

$2.3 billion stolen from 17,642 victims in at least 79 countries. These are the current figures for the growing scourge known as business email compromise (BEC) from 2013 to 2015. It is a version of highly targeted spear-phishing aimed not at stealing credentials but at directly stealing money – and it has proven to be highly effective.

The basic concept is worryingly simple. An attacker poses as a company executive and sends an email to the finance department. That email requests that funds be transferred to a specified account which is actually the attacker’s account. To some degree it relies on social engineering and knowledge of the company. All of this is easily found on the social networks. If a company is currently expanding into a new geographical region, and the names of the CEO and CFO are known and used, then funds transfers to that region would not be unexpected.

Trend Micro has analyzed the spoofed sender and the receiver in CEO frauds. The most popular ‘sender’ is the CEO at 31%, followed by the President at 17%. The most popular recipient is the CFO at just over 40%, followed by the director of finance at just under 10%. The email titles are generally simple, in keeping with what might be expected from a busy executive: ‘Transfer’, ‘Urgent’ or ‘Request’ are common.

This is the basic CEO fraud (also known as the ‘fraude au president’ in parts of Europe because of its particular success in France). Trend Micro includes two further variants, which it defines as ‘bogus invoice scheme’ and ‘account compromise’. In both of these scams an employee’s email account is first compromised. In the former, usually involving a company with foreign customers, the attacker asks the customer to make payments into a new bank account – the attacker’s. In the latter, bogus invoices are sent to multiple customers found on the compromised employee’s contacts list.

The CEO fraud does not necessarily require the use of malware, but can rely entirely on the social engineering within the spoofed email. The other variants require that a relevant employee’s email account is first compromised. Trend Micro has analyzed the known scams, and has concluded, “Most malware used in BEC schemes are off-the-shelf variants, ones that can be easily purchased online for a cheap price. Some malware can be bought for as much as $50, while some are far cheaper, or even available for free.”

Any malware that includes a key logger can simply record email passwords as they are typed, or the malware could access the passwords in browser stores. “We often recommend people save their passwords off in dedicated password management systems such as KeePass, 1Password, or LastPass,” comments Rapid7’s security research manager, Tod Beardsley. It’s just too easy for malware to pick up credentials stored in the default browser password stores as these databases usually lack appropriate access controls.”

The solutions to CEO fraud are simple and obvious; but are clearly not working effectively. Technology can be used to lessen the chance of malware infection and to scan outgoing emails. Technology alone, however, is never enough; and won’t stop scams based on social engineering. Here simulated phishing campaigns have proved very effective in raising employee security awareness. Some training campaigns have hesitated to ‘phish’ the C-Suite. BEC scams suggest that all employees, from the newest recruit to the CEO himself, should undergo staff awareness training – including simulated phishing.

Related: Stolen LinkedIn Data Used in Personalized Email Attacks

Advertisement. Scroll to continue reading.
Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Enterprise users have been warned that cybercriminals may be trying to phish their credentials by luring them with fake emails that appear to be...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...