Facts:
According to IC3, the most costly form of cybercrime is Business Email Compromise, also known as BEC.
A typical BEC scam involves phony emails in which attackers spoof a message from an executive at a company and trick an employee into wiring funds to the fraudsters.
The FBI says BEC scams netted thieves more than $26 billion between 2016 and 2019 alone.
To put this into perspective, the average loss from a bank robbery is about $3,000, whereas the average loss from a successful BEC attack is nearly $130,000.
This kind of math explains why BEC is a crime which puts every type of organization at risk.
A Cautionary Tale
Evaldas Rimasauskas had an incredibly brazen plan to steal millions from Google and Facebook: just ask for it.
The plan wasn’t as simple as making a call and requesting the transfer, but it came pretty close. Instead, Rimasauskas sent multiple invoices to the California-based tech giants for non-existent inventory.
To make these invoices more convincing, Rimasauskas pretended to represent Quanta Computer, a Taiwanese manufacturer that had done business with both corporations in the past. He even went as far as forging a number of legal documents and contracts that appeared to have been signed and approved by executives from Facebook and Google.
In an effort to seem even more legitimate, Rimasauskas registered a company in Latvia with the same name as Quanta Computer, so that he could open corporate bank accounts to accept the wire deposits.
Going the extra mile worked, and the tech giants fulfilled Rimasauskas’ requests.
In total, the scheme netted him roughly $23 million from Google and about $98 million from Facebook. Only $50 million of that has since been recovered.
The Larger Scheme at Play
Formerly known as Man-in-the-Email scams, BEC attacks rely heavily on social engineering tactics to trick unsuspecting employees and executives. Often times, they impersonate the CEO — or any other high-ranking employee — to authorize wire transfers. To increase the chance of success, attackers will carefully research and monitor their targets and incorporate some of this information into their fraudulent requests.
Source: Hunters Race on Unsplash
What Rimasauskas orchestrated is just one version of Business Email Compromise. In this case, he sent bogus invoices to companies that use foreign suppliers. The fact that Rimasauskas knew about these suppliers played a key role in his success. By pretending to be Quanta Computer, he was able to request payments to be wired to accounts he owned, without raising any immediate red flags.
Growing awareness of this type of crime has made the number of attacks skyrocket. And as BEC attacks continue to spread and evolve, everyone is at risk. It doesn’t matter whether you are a sole-proprietor or own a small, medium, or large business — cybercriminals target anyone who can give them money.
How It Works
Identifying the target. A BEC scam starts with research. An attacker will sift through publicly available information about the target company via websites, press releases, and even social media. This information-gathering continues until the attacker finds something he can use as an “in”. From there, he looks up the company’s executives and corporate hierarchy, and also takes an interest in certain employees working in the human resources or finance departments.
Compromising an email account (if possible). The attacker’s mission is to obtain the password of the initial victim, often the CEO. Doing this effectively compromises the email account of the top decision-maker for the business. These attempts are made through a variety of methods, including social engineering, spear phishing, malware, keyloggers, or brute force. However, thanks to domain spoofing, going to such lengths is no longer necessary.
Spoofing a domain (the preferred method of attackers). Malicious actors can often send a fake email from a legitimate email account, using spoofing services found online. Other times, an attacker will create a legitimate-looking email address by modifying a single character in the domain of a partner or trusted sender. For instance, he might use john.smith@samp1e.com instead of john.smith@sample.com, or john.smith@believeme.com instead of john.smith@beleiveme.com. These modifications can be extremely difficult to detect at first glance and can fool anyone who isn’t paying close attention.
Choosing an employee to make it all happen. After closely monitoring corporate communications for a period of time, the attacker will have a good idea of various scam scenarios that might work. For example, if he knows that the company has a lot of suppliers, he can send invoices to accounting for rush payment of deliverables. But it’s not enough to simply craft a convincing scenario; the attacker needs to find the right employee to get the job done. This individual needs to be authorized to initiate wire transfers and fulfill payment requests, without having to request permission from anyone else.
Executing the attack. Having done his due diligence, the attacker finally fires off the invoice to his target. This almost always comes in the form of a direct email to a direct report, instructing them to wire funds to an existing supplier at a new account number. More often than not, this email will contain words such as urgent, request, and important in order to create a mix of fear and subservience. Done right, the attacker will have minimized the chance of this employee taking a closer look at the forged email or bothering their boss before wiring the funds.
Take Steps to Protect Yourself
BEC attacks end up being successful for three main reasons:
Insufficient security protocols. This problem has a simple solution: use multi-factor authentication. Implementing multi-factor authentication helps prevent unauthorized email access within the company, especially if the attacker tries to login from a new location.
Social engineering. It’s far easier for a cybercriminal to try and trick an employee into giving him what he wants than to rely on traditional computer hacking. Therefore, employees should always be skeptical of urgent and rush money transfer requests, especially from C-level executives. Verify those requests with your boss, either by phone or in person, as email is not reliable in these circumstances.
Lack of employee awareness. Training employees to identify fraudulent emails can go a long way in saving your company from falling victim to a BEC scam. There are plenty of companies who offer this kind of employee education.
Final Notes and Updates
After Facebook and Google wired funds into what they thought were Quanta Computer-owned bank accounts, Evaldas Rimasauskas quickly began sending the money to various accounts throughout the world. He also forged additional invoices, contracts, and letters for these banks, so that they wouldn’t question the large volume of funds flowing into and out of these accounts.
U.S. authorities eventually caught up to Rimasauskas, who is now serving five years in prison for wire fraud.
Unfortunately, BEC crimes remain one of the biggest cybersecurity risks facing organizations today. Part of the reason for this has to do with the low-tech nature of these crimes. With the internet at their disposal, attackers don’t need advanced knowledge of coding — they just need to follow the money. This means that mitigating risk is less about implementing state-of-the-art security measures and more about increasing staff awareness. By training employees to be vigilant, implementing strict procedures for wire transfers, and enabling multi-factor authentication on email accounts, companies of any size can drastically reduce their exposure.
Useful Resources
To report a BEC crime:
https://www.ic3.gov/media/2018/180611.aspx
To forward W-2 phishing emails to the IRS:
phishing@irs.gov
To report data theft and protect employees:
Editor’s Note: Have you been affected by fraud? Most people have, in some form or another. If you have a story you would like to share, we’re sure our readers would benefit from hearing it. Please send an email to editor@theconartist.pub detailing your experience, and we will be in touch. Your privacy and any wishes of anonymity will be respected.
Thanks for reading! If you haven’t already, consider joining our community to receive in-depth exposés on the latest scams, hoaxes, and other forms of fraud.