Understanding business email compromise (BEC)
By ATB Financial 12 March 2021 9 min read
As businesses shift day-to-day activities into the digital space, there is a greater reliance on the internet to manage communication activities. Consequently, as we rely more and more on technology for business, we’ve seen that it’s not always bullet-proof when it comes to security, and therefore knowledge of fraud risks specific to the digital space is so important. Since 2013, criminal organizations have been exploiting the business sector’s reliance on cloud-based email infrastructures to perpetrate fraud.
And despite extensive awareness of business email compromise (BEC) schemes, organizations of all sizes continue to be defrauded at a staggering rate across Alberta, Canada and even abroad. Companies in every sector and industry are being targeted, even those with robust cyber security systems. So what can organizations do to protect themselves?
What does BEC mean for Alberta businesses
Distracted by headlines of attacks in other countries, Alberta businesses may be lulled into believing they have more time to protect their business from these scams than they actually do. As Aisha Kitchlew, Senior Manager of Fraud and Cybercrime at ATB confirms, BEC scams were very common before the pandemic, so why should this be a topic of concern in 2021?
“Organizations and businesses are using personal devices and home network connections for work purposes, putting them at a higher risk of a cyber attack. Some organizations may not have enough control over these devices or networks in order to best protect themselves from a scam like this. Because of the human element embedded into a sophisticated scam like a BEC, it can be very easy to overlook the red flags,” shares Kitchlew.
Cyber criminals are zeroing in on BEC as their preferred modus operandi for a good reason; it’s extremely lucrative. Also known as “man-in-the-middle” schemes, BEC can occur through a number of methods, allowing cyber criminals multiple means of executing a scam.
Perpetrators are sophisticated, organized and well funded so most victims do not detect the fraud until it’s too late. Cyber criminals also favour this type of fraud fraud because it has low technology requirements and the risk of criminal prosecution is low while success rates are very high.
How does BEC work?
There are numerous executions of these types of scams, each containing several variations with the end goal always the same. Fraud threat groups compromise official business email accounts of the targeted victim and impersonate trusted identities, such as executives or senior leadership, who have the authority to request funds transfers of large monetary value. The fraud actor either replicates an email address to mimic the address belonging to the person of authority (known as spoofing) or compromises the actual email inbox by gaining access to email credentials. Both methods are done with the intention of requesting fraudulent and unauthorized fund transfers. Often times, there is an element of “urgency” where the targeted executive is off-site or unable to be contacted but has requested that the transfer be executed immediately. Several follow ups, usually via email, are made by the impersonator to ensure that the request has been completed in a timely manner, before any red flags are detected.
The cost of BEC fraud to Canadian businesses
Globally, the FBI claims that between June 2016 and July 2019 they received more than 166,349 reports of business email compromise threats with total losses of $26,201,775,589 in USD. Sadly, $26 billion USD in losses is a conservative estimate as many attacks are never reported.
According to the Canadian Anti-Fraud Centre (CAFC), average losses in each case are typically over $100,000 CAD and of over forty different types of fraud methods reported, BEC is currently the second highest when measured by monetary losses.
Who is the target of a BEC attack?
Criminals look for organizations of all sizes in an industry that regularly sends wire transfers or other external fund transfers to pay suppliers and vendors for goods and services. In most cases, these businesses have high volumes of outgoing transactions with similar characteristics allowing the fraudulent transfers or requests to appear like normal day-today transaction behaviour.
In 2017, Fortune reported that Google and Facebook had both been scammed a total of $100 million USD by the same fraud threat group using a BEC phishing scheme. While the fraud actor was eventually sentenced and the lion’s share of the money recovered and returned to each organization, it’s important to note that few attacks of this scale have a positive outcome of recouping money lost due to fraud.
Know how to spot the different types of BEC
Understanding the different types of business email compromise (also known as email account compromise, business email fraud or man-in-the-middle scams) will help you assess your organization’s exposure to its many forms and develop strategies to mitigate an attack on your business.
Spoofed email accounts:How it works: Email accounts belonging to high-level executives that mimic the email address, often with only one or two digits changed, especially in the domain name. For example, email@example.com can become firstname.lastname@example.org; note the third ‘c’. This may not be easily identified and the fraud actor does not require access to your email account to be able to execute the attack.
Phishing email accounts:How it works: Malware is installed on the computer, providing the fraud actor access to the email mailbox to be able to send or receive emails. Usually the fraud actor will delete sent emails and turn off notifications so the victim may be unaware any emails were sent from the mailbox.
How to prevent attacks
BEC fraud can appear to be pretty sophisticated however, it is often very simple to execute. There are several practical and cost-effective ways organizations of all sizes can reduce their exposure:
- Create a BEC Policy and implement the required controls.
Document best practices, procedures and security measures to follow. Verify any requested changes, especially to bank account or payment details. Pull contact information from an independent source (i.e. webpage, contact the switchboard) and use a different method of contact (i.e. phone call). Require multiple levels of sign off for any fund movements and ensure that appropriate segregation of duties is implemented. Have sign off measures in place in the case of requested changes to payment details.
- Train and educate all employees on BEC Policy and Security Procedures. It is important to think of fraud prevention as everyone’s responsibility, and not solely an IT control. Train and test those with the responsibility to make payments on red flags, so they know what to look for and can identify any scams before it’s too late. Create a culture of awareness so that your team members can report any incidents (real or attempted) immediately. Your financial institution is in a much better position to partner with you when they are notified immediately.
- Conduct an assessment of your IT security. Whether you hire an outside agency or conduct a risk assessment internally, it’s important to identify your technology vulnerabilities, especially to your email system. Small changes such as applying advanced filters and limiting permissions can help secure your network and block access points to reduce the likelihood of a BEC attack.
- Keep software and security measures current. March is Fraud Prevention Month and October is Cyber Security Awareness Month, which can be used as regular reminders to evaluate your fraud prevention programs. Visit the Association of Canadian Fraud Examiners, The Canadian Centre for Cyber Security, Chartered Professional Accountants of Canada and ATB for updates on fraud trends, and access free resources and toolkits to improve your online security and fraud prevention measures. Protect yourself from a cyber attack by taking the Association of Certified Fraud Examiners (ACFE) fraud prevention check up.
- Report incidents and keep evolving and strengthening your defences. Recent advancements in AI-powered defence systems offer new hope in the battle against BEC fraud helping businesses stand their ground against the epidemic of attacks.
What to do if your company is a victim of a business email compromise (BEC) attack
If you believe you have been the victim of a BEC attack, follow these 6 steps:
- Contact your financial institution immediately. The sooner they are aware of the situation, the more efficiently they can support you.
- Take action. Consider using a reputable IT firm to assist in scanning your devices to ensure any malware is identified and promptly quarantined for removal. It is also very important to reset all impacted credentials and passwords such as online banking and email accounts.
- Notify. Contact the two main credit reporting agencies (Equifax and TransUnion) and provide details on the incident. Ensure that a fraud alert is placed on your credit reports for any future applications made using your identity. This will prompt the creditor to contact you at a phone number you provided before approving any additional lending or opening new accounts. You may consider placing a temporary security freeze on your credit report to stop any future activity from taking place.
- Report. Consider reporting to: Your local law enforcement agency to provide any details you know of the incident and The Canadian Anti-Fraud Centre (CAFC) as they collect information about fraud incidents across Canada (visit the CAFC website to learn about any next steps you should take).
- Protect yourself. Ensure you have enabled two factor authentication, especially for banking services, and have a policy in place for proper password hygiene protocols.
- Educate. The best defense against a fraud incident is education; understanding and knowing what you are up against will allow you to consider what controls are best suited for your business. Consider using resources such as the Canadian Anti-Fraud Centre website, in combination with ATB’s cyber security guide on how to protect your business from cyber theft and payment fraud.
Some of these emails can be really convincing, so it’s important that you stay on alert. Remember that no genuine company or authority will ask you to put in bank information through an email.
Every business is vulnerable to business email compromise regardless of size or industry. While you may have gone to great lengths to protect your physical assets, have you applied the ingenuity, innovation and determination to ensure your digital information is safe? As hackers continue to evolve in their approach, business leaders are called to be savvier than ever before. Integrating the right processes, controls and tools into your operational structure is crucial in mitigating risk.
Be aware of other types of online fraud outside of BEC
As hackers develop increasingly sophisticated tools to breach a rapidly growing technology landscape, it’s crucial to integrate a cyber security strategy to defend against a list of online fraud threats which evolve quickly. For instance, other types of fraud could include:
Vendor email compromise (also known as supplier phishing)
How it works: Involves businesses that have well established relationships with suppliers. The criminal uses a spoofed or compromised email account of the business, and requests the supplier to provide payment via wire transfer to a fraudulent account.
How it works: Fraud actors call or send employees emails or texts in an attempt to get sensitive information. Usually, they will try to mimic a genuine site, company, governing body or even an employee, to make you think that they are the real deal and that it’s safe to hand over your information. A lot of these emails will tell you that you need to reconfirm, re-enter or input your bank details (or something similar), in order to get a refund, pay postage on something you ordered (but never anything specific) or to unlock your account.
- Spear phishing: Fraud actors have a specific target in mind: they compromise email accounts in search of a specific piece of information.
- Vishing: Phishing scam done over the phone instead of email.
- SMiShing: Phishing scam perpetrated via SMS texts.