Light Dark
July 1, 2015 By Michelle Alvarez 3 min read
Fraud Protection

Care for Some BEC in Your Security Acronym Soup du Jour?

Earlier this year, the Internet Crime Complaint Center (IC3) and the FBI issued a public service announcement warning of a “sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments.” Formerly known as the man-in-the-email (MitE) scam, the business email compromise (BEC) is a global wire transfer scam with a goal of compromising legitimate business email accounts to perform unauthorized wire transfers. (I prefer the acronym MitE. Many species of mite are parasitic, which means they benefit at the expense of their host. See the similarities? But I digress.)

$215 Million in Losses and Counting

The IC3 reported that, from Oct. 1, 2013 to Dec. 1, 2014, BEC scams claimed over 2,000 individual victims and generated losses of nearly $215 million. Recently, the Financial Services Information Sharing and Analysis Center (FS-ISAC) and federal law enforcement agencies released a fraud alert reporting that they continue to observe an increase in BEC scams. This means that the number of victims and the amount of monetary losses have surely been climbing since the data was last reported.

Here’s what you need to know about this particular wire transfer scam:

  • It’s a global scam, with 45 countries and every U.S. state targeted.
  • Wired funds have reportedly been sent primarily to Asian banks located in China and Hong Kong.
  • Email accounts are generally compromised through social engineering or malware.
  • Compromise of the CEO’s or CFO’s email account is most common, although incidents where a vendor’s or supplier’s email has been compromised have also been reported.
  • Individuals responsible for handling wire transfers are then targeted using the compromised email account.
  • Spoofed emails may coincide with an executive’s business travel dates, making it more difficult to determine that the request is fraudulent.
  • Fraudulent email requests for a wire transfer appear legitimate because they are well-written, specific to the targeted business and often request a business-specific amount.

Common Themes: (Really) Sophisticated Social Engineering and Wire Transfers

According to Karl Marx, we are “gregarious creatures” and need social cooperation and association to meet our needs. Perhaps, though, we can learn to socially cooperate just a little less with attackers. Easier said than done, of course. With each social engineering tactic seemingly more sophisticated than the last, someone needs to come up with a word that surpasses the intensity of “sophisticated.” (If I see the phrase “sophisticated attack” one more time…)

Take the Dyre Wolf campaign as an example of sophistication at its finest. Spear phishing, two-stage malware execution and advanced social engineering resulted in wire transfers totaling upwards of $1.5 million. The icing on the cake of this cutting-edge attack? A distributed denial-of-service (DDoS) attack after the theft to distract investigation of the wire transfer — brilliant! All the more reason organizations need to ensure they have a defense-in-depth strategy in place.

Protect Against a Wire Transfer Scam

To handle BEC scams, the FS-ISAC fraud alert provides a great checklist of what to do when receiving or handling wire transfer requests by email. The list indicates that “effective payment risk mitigation processes” are key against the risk from BEC scams. Much of the checklist calls for additional verification that the wire transfer is authentic. This might include calling to verbally confirm the request (not via a number provided in the received email) or requiring dual approval if the request meets certain criteria, such as a dollar amount exceeding a specific threshold. The IC3 PSA also provides good recommendations around protection against fraudulent wire transfers, including being wary of sudden changes in business practices, like the use of a personal email address versus a business email.

Practical Counter-BEC Advice

BEC scams are crafted to be sophisticated. They are not a broad-stroke attack, but rather a very minutely planned crime. Some recommendations from our experts for avoiding this type of wire transfer scam include:

  • Ask your IT department to configure email to reveal the full address of the sender and recipients in the thread. In many cases, this will help you spot suspicious addresses or unusual use of personal accounts by one of your executives.
  • If your company never handles transfers based on email, immediately contact the sender (your CEO or CFO) and verify the details with them in person or over the phone.
  • If the executive in question is away traveling, and especially if the transfer is directed to an account you’ve never done business with before, do not execute the transfer until you get a clear response from the supposed issuer via phone.
  • Scammers will want you to keep this under wraps. It’s part of their tactics. Report the matter to the CEO and the CFO or the accounting department, all of whom will have to know about this either way.
  • If you suspect you have been scammed by BEC emails, report the matter to law enforcement immediately. You may reach out to the FBI or the Secret Service, or file a complaint with the IC3.
 |  |  |  |  |  |  | 
Michelle Alvarez
Manager, X-Force Strategic Threat Analysis, IBM

More from Fraud Protection
October 30, 2023

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

August 23, 2023

Remote access detection in 2023: Unmasking invisible fraud

3 min read - In the ever-evolving fraud landscape, fraudsters have shifted their tactics from using third-party devices to on-device fraud. Now, users face the rising threat of fraud involving remote access tools (RATs), while banks and fraud detection vendors struggle with new challenges in detecting this invisible threat. Let’s examine the modus operandi of fraudsters, prevalence rates across different regions, classic detection methods and Trusteer’s innovative approach to RAT detection through behavioral analysis. A rising threat As Fraud detection methods become more and…

August 17, 2023

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature