Bank Transfer keyboard

A Conversation with the FBI Cybercrimes Division Since January 2015, losses from Business Email Compromise scams (often called BEC) increased 270 percent, according to the FBI cybercrimes division. While CEO Fraud is the most common and fastest growing version, the entire class of business email compromises rely on the same social engineering and targeting of human behavior and emotions. Preston Ackerman of the FBI’s cybercrimes division recently discussed this cybercrime wave and how to defend against it with SANS’ Director of security awareness Lance Spitzner. Here are the key takeaways.  

The stories they're telling are very good. They're playing on human emotion. No technology is going to be able to defend against that.”

CEO Fraud Basics Business email compromise (BEC) or business email scams (BES) are a group of scams where criminals do research on your organization, identify a senior executive, and then pretend to be that senior executive. A cybercriminal emails a fake message from the executive to fool someone at the organization into wiring funds to a fraudulent bank account. Mr. Spitzner outlined the goal of these scams: “Usually their goal, almost always, is money.” He describes the essence of a BEC attack: The bad guy researches your company. You probably have a lot of information on senior leadership or key individuals on LinkedIn, your public website, Google, forums, etc..

The bad guys then identify these key folks and then do a deep dive on them. They harvest the executive LinkedIn accounts, maybe even see if they can link into the executive. Then, they identify who's handling the money. Quite often it’s accounts payable. Then the criminals craft their message, craft their attack, launch, and boom! They trick or fool people into sending or doing something they shouldn't do.

The most common attack is CEO Fraud.

CEO Fraud

In the classic CEO Fraud scenario, a criminal either hacks or spoofs an executive's email account. The criminal then masquerades as the executive and sends a request to an employee who handles payment transfers and requests a wire transfer.  This is where social engineering comes into play.

The message is often sent with a sense of urgency, or possibly while the executive is traveling or at the end of the work week. The criminals play on human emotions knowing that no employee wants to disappoint his boss and everybody wants to get the work week wrapped up successfully. All too often, the employee believes it is the executive sending the message, and executes the transfer.

Bogus invoice scheme According to Mr. Ackerman, another common BEC variation is the Bogus Invoice Scheme where the attacker sends fake invoices to existing customers.  The criminal identifies customers through the employee's contact list and/or previous emails that they go through then sends bogus invoices to existing customers. The invoices contain banking information controlled by the criminals. Businesses are typically not aware of this fraud until they are contacted by customers who have detected it.

TIP:  Periodically go through and verify recurring invoice payments to make sure they are legitimate.

Trusted foreign supplier scheme

In another scheme, fraudsters fake an email from a trusted foreign supplier, asking an employee to change where payment is sent. Businesses purchase goods from a trusted supplier and the goods are then shipped as expected. However, a fraudster sends an email to you requesting the payment be sent to a different location, typically a bank in China or Hong Kong. There's usually a simple story that the bank account is not working or it's being audited and the employee then redirects the payment to the new account, which is controlled by the criminal actor.

Attorney impersonation scheme

This scheme offers a variation of the classic CEO fraud that tends to make it quite effective. It starts very similar to the classic CEO fraud scenario, with a fraudster masquerading as the executive and sending an email about a business matter (“This business matter is urgent and it's confidential, so don't tell anybody else”). This is where the attorney scheme branches from CEO Fraud: the email advises the employee that an attorney will be in contact with them to facilitate the rest of the request. A plausible story is provided such as a merger and acquisition.  In order not to raise suspicions around the fraud, the bogus attorney then contacts the employee, often via phone, with a legitimate-sounding speaker and the correct accent, dialect, etc. The details about the fraudulent business transaction are then provided and carried out by the employee.

"Introducing an attorney adds legitimacy to the request” noted the FBI’s Ackerman, “and having a supposed attorney in the equation means large dollar amounts are typically involved so this story tends to cause some of the largest financial losses."

Note that most of these scenarios can potentially succeed either with an actual email account compromise or merely through spoofing the email.

What makes CEO fraud effective?

First, technology cannot defend against this attack. Most phishing technologies and most perimeter defense technologies are all about finding bad links or infected attachments. There are no bad links in these scenarios. There are no bad attachments in these types of attacks. It's all about scamming people, fooling them and conning them into doing something they shouldn't do. In addition,  are getting good at these attacks. As SANS’ Spitzner pointed out, “They're doing their research. They're identifying specific targets. They’re identifying who the senior leadership is, the CEO, CFO, etc. and who has access to what.  If it's wire transfers, then the criminals identify who is in accounts payable.”

Why is CEO fraud a threat?

Ackerman stresses that these attacks are growing in size and in scope, with businesses of all sizes and types as targets. The FBI estimates these type of scams cost organizations more than $2.3 billion since 2013 and incidents have occurred in nearly 80 countries.

FBI investigations reveal that these fraudsters use “safe houses” or “boiler rooms” to conduct their frauds. “These groups operate from apartments or hotel rooms, usually renting under fake names,” Ackerman says.  “Of course, they don't stay in one spot for very long, and they're even willing to move to different countries with some frequency to avoid detection. “

The cyber-criminals use all the resources available in the cyber underground, Ackerman continues, including the capability to search for keywords on incoming messages on hacked email accounts and the purchase of email lists of Fortune 500 executives.

How you can avoid CEO fraud

The FBI recommends that you use a two-step authentication process to verify all email transactions. If your boss emails you a request for a wire transfer, for example, confirm it with a phone call. Another way to stop CEO Fraud is to be vigilant about email communication.  “Be careful about spoofed emails, emails with a different "reply to" address,” suggests Ackerman.

Employee education is probably the most important way of stopping CEO fraud.  Train your staff to use precautions in all business transactions, especially wire transfer requests. Since the fraudsters use online information to dupe specific employees, instruct your staff to be careful about posting details about company activities on your website and social media accounts.

What to do if you are a victim of CEO fraud

The FBI’s Internet Crime Complaint Center (IC3) recommends that you contact your financial institution immediately. Ackerman also stresses that victims file a complaint with the IC3 by visiting https://www.ic3.gov/default.aspx.

“Time is often of the essence in recovering these funds,” Ackerman says. “We work closely with banks, and also with international law enforcement partners abroad. If we find out about one of these within the first 24 to even 48 hours sometimes, we are often able to recover all or most of the funds.”

"No technology is going to be able to defend against that.” Get key takeaways from CEO Fraud webcast with FBI cybercrimes.