Taking on BEC Scammers: It's Not Mission Impossible

Business Email Compromise (BEC) scams continue to claim enterprise victims, posing new headaches for security practitioners.

Indeed, Symantec found that 7,710 organizations were hit by BEC attacks in 2017, accounting for an average of 4.9 times per victim. It’s costing victims dearly; the FBI, which took down 74 BEC fraudsters in June, found that BEC scams resulted in adjusted losses of over $675 million last year. The agency’s Internet Crime Complaint Center (IC3) reports that over $3.7 billion has been reported as stolen funds from BEC schemes to date.

A BEC scam can be a targeted spear phishing scheme used to gain legitimate email account information, or a simple spoof of an email from a person’s boss or trusted vendor.

Scammers typically dupe victims by using common subject lines such "payment" followed by "urgent", "request", "attention", and "important."  Unfortunately, BEC scams are often polished enough so that they largely go unnoticed.

A scammer sends email that looks like it came from a legitimate organization with the intent of redirecting a wire transfer into the scammer’s bank accounts. Scammers often try to disguise their communications as coming from banks, real estate firms, rental agencies, and other organizations that handle large money transactions. They then send fraudulent emails to individuals and organizations responsible for making large purchases with wire transfer information to transfer money to the scammers account.

Laundering their ill-gotten gains is another important step in the BEC scammer’s process. They find people through romance schemes or work from home propositions, for example, and trick them into accepting the large stolen funds by check or wire transfer.

Then these unsuspecting money mules send most of the funds back to the scammers – while keeping a small bit as payment for their trouble. As innocent as these people may be, they can be found to be complicit and subject to criminal prosecution, the same as the scammers who tricked them. The upshot: Financial fines and a sentence to serve time in prison.

What You Can Do

If you believe you are a victim of a BEC scheme, request a wire recall from the originating bank. Then file a complaint with the IC3: https://bec.ic3.gov/. Be sure and save all the emails and documents you received and sent that are related to the scam.

The IC3 offers the following steps to help mitigate attacks.

• Frequently monitor your Email Exchange server for changes in configuration and custom rules for specific accounts
• Consider adding an email banner stating when an email comes from outside your organization so they are easily noticed
• Conduct End User education and training on the BEC threat and how to identify a spear phishing email
• Ensure company policies provide for verification of any changes to existing invoices, bank deposit information, and contact information
• Contact requestors by phone before complying with e-mail requests for payments or personnel records
• Consider requiring two parties sign off on payment transfers

“Symantec has been tracking this scam for some time, said Kevin Haley, Symantec’s Director of Services Product Management.

Indeed, Symantec was part of a joint effort between private industry and a law enforcement working group to help apprehend business email compromise (BEC) attackers.

“Our anti-spam technology can actually find and block these types of attacks,” Haley said. “And I’m pleased to say that some of the security intelligence we have collected has assisted law enforcement in the arrest of individuals behind these scams.”

Still, Haley noted, no one is immune. And it does take an extra level of awareness and vigilance to protect your organization from BEC schemes. BEC schemers are increasingly aggressive and – as many organizations have learned to their dismay – increasingly successful.

If you found this information helpful, you may also enjoy:

• 2018 Symantec Threat Intelligence Report
• FBI: International Business E-Mail Compromise Takedown