Transnational criminal organizations are behind an emerging financial cyber threat called Business Email Compromise (BEC) [or Email Account Compromise (EAC)]. Typically, in this email-borne scam, hackers gain access to a corporate email account and spoof the owner’s identity to defraud the company or its employees, customers or partners.
Targeting large and small companies in the U.S. and more than 100 countries worldwide, criminal teams of lawyers, linguists, hackers and social engineers are targeting employees with access to company finances and tricking them into making wire transfers to fraudulent bank accounts.
A variation of BEC involves compromising legitimate business email accounts and requesting Personally Identifiable Information (PII) or employee Wage & Tax Statement (W-2) Forms to fraudulently divert tax refunds or accomplish identity theft.
The perpetrators are practiced in the art of deception making use of such techniques as spear-phishing, email spoofing, social engineering, identity theft and malware.
Spear-Phishing: bogus emails purportedly from a trusted sender, elicit confidential information from victims
Spoofing (email accounts/websites): slight variations on legitimate addresses (john.kelly@abccompany.com vs. john.kelley@abccompany.com) fool victims into thinking fake accounts are authentic. The criminals then use a spoofing tool to direct email responses to a different account that they control. The victim erroneously believes he is corresponding with his CEO or a trusted partner.
Social Engineering: an attack strategy that relies heavily on human interaction, manipulating executives to break normal security procedures and best practices so that criminals gain access to systems, networks or physical locations for financial gain.
Malware: Pernicious software infiltrates company networks and gains access to legitimate email threads about billing and invoices. That information is used to make sure the suspicions of an accountant or financial officer aren’t raised when a fraudulent wire transfer is requested. Malware also allows criminals undetected access to a victim’s data, including passwords and financial account information.
One common BEC or CEO impersonation scheme involves the criminal group gaining access to a company’s network through a spear-phishing and malware attack. Undetected, they may spend weeks or months studying the organization’s vendors, billing systems and the CEO’s style of email communication, even his travel schedule.
When the time is right, often when the CEO is away from the office, the scammers send a bogus email from the CEO to a targeted employee in the finance office - a bookkeeper, accountant, controller or Chief Financial Officer. A request is made for an immediate wire transfer, usually to a trusted vendor. The targeted employee believes he is sending money to a legitimate account. But the account numbers are slightly different, and the transfer ends up in an account controlled by the criminal group.