What Is BEC Fraud and How Does It Work?
Types of BEC Fraud Schemes. The ABCs of Preventing BEC Fraud.
The fact that criminals are actively using e-mail schemes to defraud public institutions, small and large businesses, and their clients is yesterday’s news. Since they don’t use malware or malicious URLs that can be detected with standard cyber defenses, BEC fraud schemes are difficult to trace. They rely on impersonation and other social engineering techniques to trick people interacting on the attacker’s behalf.
But what exactly is BEC fraud?
BEC fraud is a scheme used by cybercriminals to gain access to a legitimate business email through social engineering or computer intrusion to impersonate an employee – often someone who can authorize payments – and instructs others in the company to transfer funds on their behalf.
So how does BEC fraud work? Like all social engineering attacks, they rely on the human factor in order to be successful. Since people have an instinctive desire to be helpful, they are likely to fall victims to BEC attacks. The desire to say ‘yes’ to a request overrides the desire to double-check if everything is in order with that request in the first place.
Image Source: Interpol
According to eFraud Prevention, BEC fraud schemes can be broken down into three stages:
#1. BEC Fraud Compromise Victim Information and E-mail Accounts
When a cybercriminal first accesses a victim’s e-mail account, he does it through social engineering or computer intrusion techniques. Hackers exploit the victim’s e-mail account to gather information on the target’s financial data, financial institution, contacts, and related info.
#2. BEC Fraud Transmits Fraudulent Transaction Instructions
After obtaining the previously-mentioned data, the hacker then uses it to e-mail fraudulent wire transfer instructions to the financial institution impersonating the victim. In this stage, cybercriminals will either use the victim’s actual e-mail account or create a fake e-mail account resembling it.
#3. BEC Fraud Executes Unauthorized Transactions
Finally, hackers trick the victim’s employees or financial institution into conducting wire transfers that appear legitimate but are, in fact, unauthorized. The instructions direct the wire transfers to the cybercriminals’ domestic or foreign bank accounts.
Types of BEC Fraud Schemes
According to the Federal Bureau of Investigation, there are 5 major types of BEC fraud schemes:
#1. CEO Fraud
In this type of BEC fraud scheme, the attackers position themselves as the CEO or executive of a company and typically email an individual within the finance department, requesting funds to be transferred to an account controlled by the attacker.
The threat actors don’t even have to be very tech-savvy or to actually hack into your systems. They can simply send you an email from a similar address to the actual email of your CEO or another high-ranking executive within your company. Most of the time, people don’t double-check the spelling in an email address, especially when it seems time-sensitive to deliver a response.
When it comes to CEO fraud, these emails ask for your immediate assistance with a sensitive matter. Since people are willing and eager to help others, especially their boss, they provide the hackers with the data they’re asking for, or they make the requested money transfer, and so on. Only later they realize something is suspicious.
My colleague Miriam extensively wrote about our own case of CEO fraud, so feel free to read more and see how to better protect your business from this threat.
#2. Account Compromise
An employee’s email account is hacked and is used to request payments to vendors. Payments are then sent to fraudulent bank accounts owned by the attacker.
Credential stuffing, phishing, spear-phishing techniques, or even through an insider threat are just a few ways an employee’s account can get hacked. From thereon, threat actors can cause serious damage inside your company. From sending themselves money to stealing records, sensitive data, or the credentials for more inside accounts.
This BEC fraud scheme can get even more sophisticated from a technical point of view. Let me remind you of the infamous Emotet that used to exfiltrate full emails instead of just email addresses when it managed to infect a machine. The malware was able to send you a reply email containing the entire archive of replies from that conversation, making it appear legitimate.
Image Source: Interpol
#3. False Invoice Scheme
Threat actors commonly target foreign suppliers through this BEC fraud scheme. The scammer acts as if they are the supplier, sends a fake invoice, either in your name to third parties or in the name of a partner, and requests money transfers to fraudulent accounts.
Before making their move, hackers monitor a company’s operations for a long time. They know exactly when to send an invoice or from whom, so it would not look suspicious to the people involved. If the email they are using seems legit, only the account where the money is to be sent is different, few employees are wise enough to suspect something’s amiss.
If the people targeted fall for it, the financial damage is already done by the time the fraud is discovered, and there is little chance of ever seeing that money back again. In some rare cases, your bank may be able to annul a transaction and get your company’s money back, but only if you respond to the incident in a very timely manner.
#4. Attorney Impersonation
This is when an attacker impersonates a lawyer or legal representative. Lower-level employees are commonly targeted through these types of attacks where one wouldn’t have the knowledge to question the validity of the request.
Hackers pose as the company’s attorney or legal firm, again asking for some sensitive data (information or documents) to be provided. If they obtain them, they can use the info for achieving their final purpose afterward (money or data theft, reputational damage, etc).
Sometimes, they even go further and invent law firms, and people still positively respond to these requests and fall right into their trap.
#5. Data Theft
The last form of business email compromise we need to discuss is data theft through a BEC fraud scheme. These types of attacks usually target HR employees in an attempt to obtain personal or sensitive information about individuals within the company such as CEOs and executives. This data can then be leveraged for future attacks like CEO Fraud.
If they’re not selling data, the hackers may be after obtaining credentials to bank accounts so they can empty them in a future strike.
In other cases, there may not even be threat actors behind the attack, but rather a disgruntled former employee (insider threat) who is looking to do some damage. Whichever the case, nothing good will come out of it.
Heimdal™ Email Fraud Prevention
The ABCs of Preventing BEC Fraud
Although such attacks can be very difficult to identify due to advanced social engineering techniques involved in planning and carrying out BEC fraud schemes. However, engaging in these email security best practices will significantly cut down the chances of your company suffering the consequences of a successful BEC fraud scheme:
- Do people take devices home for remote work every now and then? Do they have to follow a specific protocol for that? Do they have limited admin rights for those devices? Make sure everyone in the company receives cybersecurity training. Investing in employee education on email threats and email security best practices is the best way to prevent BEC attacks.
- Whenever you receive an email, make sure you always review the sender’s email address – sometimes cybercriminals create an account with an email address that is very similar to one on your company network.
- Make sure that the URL in emails is connected with the business it claims to be from.
- Keep an eye out for hyperlinks with misspellings of the actual domain name.
- Use strong passwords and two-factor authentication to help secure email accounts. You can always check out our Password Security Guide for Unhackable Credentials.
- Make sure that your employees’ computer settings are enabled to allow full email extensions to be viewed.
- Implement phone verification of payment changes and use secondary sign-offs.
- Monitor accounts on a regular basis for irregularities, such as missing deposits.
- Implement a comprehensive, fully-managed cloud email security. The most effective way to mitigate the risk that BEC poses to your company is by investing in an email security solution that prevents malicious emails from reaching the inbox.
Image Source: Interpol
Heimdal™ Email Security is a specialized add-on to any spam filter already in place. It will pair over 125 vectors to detect BEC fraud attempts and properly flag them. Combining email signature scans to word scans in order to detect changed IBAN codes and so on, no suspicious detail will pass unnoticed.
Our product is available as part of a personalized Enterprise suite, or as a stand-alone module. With its complex network of vectors, the BEC protection cybersecurity product will automatically detect:
- Business Email Compromise (BEC)
- Email-deployed Malware
- Phishing and Spear Phishing
- Imposter Threats (Modified Invoices)
- CEO Fraud and Criminal Impersonation
- Man-in-the-email and Spoofing Attacks
- Malicious content in historical emails
Final Thoughts on BEC Fraud
Every year brings more news of successful BEC fraud scams. It’s usually public institutions, like city administrations or hospitals, who get targeted the most. But businesses also make ripe targets for scammers. According to FBI data, small and medium-size organizations, or those with limited IT resources, are most vulnerable to BEC scams because of the costs of robust cyber defense.
Raising employee awareness about scams and BEC fraud is always a good idea, but businesses shouldn’t rely on it. Heimdal™ Email Security and its automatic scan vectors will help where human vigilance fails so that threat actors won’t stand a chance.