Business Email Compromise (BEC) is a serious matter. This email-borne hacking technique presents a radically more sophisticated version of the age-old “Nigerian Prince” scam. BEC targets businesses that regularly perform wire transfer payments to foreign entities. According to the FBI, the attacker uses a phishing approach, “Compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.”
BEC is on the rise. Attacks have increased 1,300% since January 2015, with complaints coming to law enforcement in 79 countries and all 50 US states. According to CNBC, law enforcement agencies have dealt with over 17,000 victims who have collectively lost more than $2.3 billion to BEC attacks. The majority of victims are in the US. Most of the fund transfers are laundered through China.
Mattel’s $3 Million BEC Loss
BEC victims include well-known names such as Seagate and Snapchat. Another household name that suffered a successful BEC attack is Mattel, the maker of Barbie and Hot Wheels. SC Magazine reported that Mattel lost $3 million in 2015 in what they refer to as a “CEO fraud phishing scam,” another term for Business Email Compromise. As is typical of a BEC attack, a Mattel finance executive wired $3 million to a bank in Wenzhou, China, thinking he was paying a foreign supplier. One can imagine how many fund transfers Mattel makes to banks in China. So, even with accounting controls in place, one can see how it would be possible to persuade a financial staffer at a large company to wire funds abroad. Luckily, Mattel was able to get its money back with the help of law enforcement.
In attacks like the one at Mattel, the attacker impersonates a senior executive. Here’s how it might happen: Let’s say you work at Acme your CEO is named John Doe. You get an urgent email from JohnD@acme.co demanding that you drop everything and pay for an urgent order from China. He tells you to check with accounting (providing a link to email@example.com in his message) and explains that they will provide the wire information. Spurred into action, you fire off an email to accounting without noticing that you’re writing to firstname.lastname@example.org, not email@example.com (the correct domain suffix). “Accounting” gets right back to you, telling you to wire the money to Wenzhou Industries, a supplier you are familiar with, at www.vvenzhouindustries.com. Again, you’re too busy to notice that the URL has replaced the “W” in Wenzhou with two Vs. After all, you want to please your CEO.
How does the attacker know about your suppliers? How does he or she know your CEO’s name and email address? They use social engineering and research – especially of social media – to craft credible emails that could be from coworkers and suppliers.
Business Email Compromise: the Pain of Disclosure
When Ubiquiti Networks (NASDAQ: UBNT) lost almost $46.7 million to cyber thieves, the publicly traded company was compelled to disclose the matter in its 8K report to the SEC. Their filing stated, “On June 5, 2015, the Company determined that it had been the victim of a criminal fraud. The incident involved employee impersonation and fraudulent requests from an outside entity targeting the Company’s finance department. This fraud resulted in transfers of funds aggregating $46.7 million held by a Company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties.” Though Ubiquiti has been able to recover $8 million, this incident and the disclosure was embarrassing, especially for a company in the network field.
Insurance Coverage for Business Email Compromise
In a nasty surprise for companies that fall prey to BEC, it turns out that insurance policies may not cover losses. Ameriforge Group, a Houston-based manufacturer, has had to take Chubb Group to court because the insurer denied a BEC-related loss claim. Ameriforge was scammed out of $480,000 by a phishing attack that involved impersonation of the company’s C