That rainy afternoon Phil was stressed, as he was at the end of every month, making sure the payroll processing was completed by the end of the day. Focused on his burden, he wasn’t paying attention to email, until Roger’s message came in. Receiving instructions from the former CEO directly wasn’t uncommon, but this was one of the first messages he got from Roger since his recent announcement as new CEO. It was brief, clear and concise.
“Hi Phil, Hope this find you well. I need to update my direct deposit information before the next payroll is done. Please let me know what details you need. Thanks, Roger”.
Phil replied asking for specifics about the account. Roger responded within minutes and Phil executed the change in the payroll system, quick and easy, scoring some points with the boss. Next morning, tasks were back to normal having completed the payroll cycle. After a couple of days however, he received a phone call from Roger asking to review why he hadn’t received his monthly pay.
Meanwhile, a hacker was transferring money and buying plane tickets to Europe.
Business Email Compromise
Business Email Compromise (BEC) is a serious threat. Small companies to technology giants have fallen under these kind of attack. Between June 2016 and December 2021, the Internet Crime Complaint Center (IC3) reported that between July 2019 and December 2021, there was a 65 percent increase in global losses to BEC scams, translating to a potential $43 billion loss.
These email impersonation attacks have many variants, but in general they involve very complex social engineering, targeting people instead of technology. Attackers use a spoofed email account or a compromised one, to impersonate someone the target will trust. Payment requests, fraudulent invoicing, wire transfers, payroll redirection, retrieval of sensitive information, gift card inquiring and even extortion are executed by attackers through this scheme.
Even though Phil’s organization has cyber security systems in place, they didn’t help on preventing this incident. That’s because BEC is difficult to detect since these messages usually don’t contain malware neither malicious links or attachments, but just plain text. These spear-phishing attacks are personalized and targeted to specific people within the organization, usually in financial roles. Attackers perform advance research on the target organization and often come from legitimate sources, like good reputation domains or IPs, so they won’t be blacklisted like massive phishing attacks. Using domain-spoofing techniques, they seem to come from a real person, and sometimes are even sent from a real domain, when email access has been compromised.
Phil just didn’t notice. Basic ingredients of a BEC recipe include urgency, importance, and sensitivity. They also are sent from an authoritative person with a thorough impersonation that can include using the same writing style of the supposed sender. They can also contain a reason for the request, specific instructions and even directions not to contact the sender by different means, so the scam cannot be discovered. In this case, even the date to send the scam was chosen to coincide with Phil’s demanding tasks at the end of each month so his guard was down.
Defending against this kind of attacks requires people-centric cybersecurity, involving among other tactics, awareness campaigns and conducting phishing security test drills on employees. Adjusting email tools with warning messages when email come from external sources is important too, so employees can be more inquisitive when receiving external communications. There are also advanced security tools that can help preventing these threats by analyzing both content and context on email messages. Web crawlers can identify phishing infrastructure to be able to block illegitimate email, when machine learning algorithms can detect unusual requests or email traffic patterns that are not typical. Natural language analytics help to detect the context of messages so organizations can act upon identified threats.
Being aware of BEC attacks and having a strategy to defend against them will let you know when Roger is actually not him and preventing hackers from taking a European getaway.