Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

The Alarming Numbers Behind Business Email Compromise Scams

$2.3 billion stolen from 17,642 victims in at least 79 countries. These are the current figures for the growing scourge known as business email compromise (BEC) from 2013 to 2015.

$2.3 billion stolen from 17,642 victims in at least 79 countries. These are the current figures for the growing scourge known as business email compromise (BEC) from 2013 to 2015. It is a version of highly targeted spear-phishing aimed not at stealing credentials but at directly stealing money – and it has proven to be highly effective.

The basic concept is worryingly simple. An attacker poses as a company executive and sends an email to the finance department. That email requests that funds be transferred to a specified account which is actually the attacker’s account. To some degree it relies on social engineering and knowledge of the company. All of this is easily found on the social networks. If a company is currently expanding into a new geographical region, and the names of the CEO and CFO are known and used, then funds transfers to that region would not be unexpected.

Trend Micro has analyzed the spoofed sender and the receiver in CEO frauds. The most popular ‘sender’ is the CEO at 31%, followed by the President at 17%. The most popular recipient is the CFO at just over 40%, followed by the director of finance at just under 10%. The email titles are generally simple, in keeping with what might be expected from a busy executive: ‘Transfer’, ‘Urgent’ or ‘Request’ are common.

This is the basic CEO fraud (also known as the ‘fraude au president’ in parts of Europe because of its particular success in France). Trend Micro includes two further variants, which it defines as ‘bogus invoice scheme’ and ‘account compromise’. In both of these scams an employee’s email account is first compromised. In the former, usually involving a company with foreign customers, the attacker asks the customer to make payments into a new bank account – the attacker’s. In the latter, bogus invoices are sent to multiple customers found on the compromised employee’s contacts list.

The CEO fraud does not necessarily require the use of malware, but can rely entirely on the social engineering within the spoofed email. The other variants require that a relevant employee’s email account is first compromised. Trend Micro has analyzed the known scams, and has concluded, “Most malware used in BEC schemes are off-the-shelf variants, ones that can be easily purchased online for a cheap price. Some malware can be bought for as much as $50, while some are far cheaper, or even available for free.”

Any malware that includes a key logger can simply record email passwords as they are typed, or the malware could access the passwords in browser stores. “We often recommend people save their passwords off in dedicated password management systems such as KeePass, 1Password, or LastPass,” comments Rapid7’s security research manager, Tod Beardsley. It’s just too easy for malware to pick up credentials stored in the default browser password stores as these databases usually lack appropriate access controls.”

The solutions to CEO fraud are simple and obvious; but are clearly not working effectively. Technology can be used to lessen the chance of malware infection and to scan outgoing emails. Technology alone, however, is never enough; and won’t stop scams based on social engineering. Here simulated phishing campaigns have proved very effective in raising employee security awareness. Some training campaigns have hesitated to ‘phish’ the C-Suite. BEC scams suggest that all employees, from the newest recruit to the CEO himself, should undergo staff awareness training – including simulated phishing.

Related: Stolen LinkedIn Data Used in Personalized Email Attacks

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Expert Insights

Related Content

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybersecurity Funding

UK-based email security and brand protection solutions provider Red Sift on Thursday announced raising $54 million in a Series B funding round that brings...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...