In 2019, a senior account specialist working for the city government in Ocala, Florida, received an email purportedly from a construction company doing work on the city’s new airport terminal. The sender asked Ocala’s finance department to update the company’s banking information; soon after, the city received a follow-up email with an invoice for $742,000. The city made the payment to the new bank account the next day.
But a few days later, the construction company sent an email saying it hadn’t received payment for work done. Upon closer examination, the email requesting Ocala update the company’s payment information had come from a domain name with “constructions.com” plural instead of the singular “construction.com.”
The real construction company had not requested the change in banking details. The city of Ocala had become the victim of a business email compromise (BEC) scam.
Prevalent even before the pandemic, these types of phishing attacks have increased over the past two years of remote working. Also called whaling, BECs are low-tech but highly efficient, costing organizations billions of dollars each year.
Chris Connell, managing director of Kaspersky Asia Pacific, notes that the reason why BEC scams are so dangerous is that scammers use social engineering rather than viruses or sophisticated hacking tools that are more easily detected.
“A scammer poses as a legitimate business contact, tricking the recipient into providing sensitive information or updating financial information to divert a payment,” Connell says. “An initial contact might be unobtrusive, but [it] paves the way for bad actors to launch an attack against a higher-ranking employee of the company.”
How it works
Often the scammers send emails to HR and payroll departments posing as employees or suppliers requesting changes to their direct deposit data. Other times, the scammer poses as HR or a payroll provider and sends an employee a fake payment portal page. The employee enters his or her login information, which the scammer uses to access the real payment site and change the employee’s banking data.
In April 2020, the FBI warned that fraudsters would try to take advantage of the “uncertainty surrounding the Covid-19 pandemic” with business scams. Their prediction came true: The number of internet fraud complaints filed with the FBI jumped to 791,790 in 2020, an increase of 69% from the previous year, with total losses exceeding $4.1 billion. Losses from BEC and email account compromise (EAC) incidents specifically increased from $1.3 billion in 2019 to $1.8 billion in 2020. This implies that BEC tactics have become more refined, and hackers are targeting larger organizations.
David Ng, Singapore manager of cybersecurity company Trend Micro, notes that despite being a relatively low-tech method of hacking, BEC can be trickier to detect. “Since BEC attacks do not normally use malicious attachments or URLs, they can evade traditional security solutions that only look into suspicious content and behavior,” he says.
Even the world’s biggest technology companies have fallen victim to BEC attacks. From 2013 to 2015, a scammer in Lithuania posed as a Taiwan-based hardware company that supplies equipment to Google and Facebook. By sending false invoices and contracts, the scammer managed to fraudulently bill the companies more than $120 million before being caught and prosecuted in 2017.
Smaller companies and organizations also routinely fall victim to BEC scams, with many of the cases never reported, according to the FBI. That could be because the process of recovering the stolen money may appear daunting to many smaller companies, or because the cost of doing so seems to outweigh the loss.
For example, in one case a scammer in Singapore convinced an employee of an organization to buy iTunes cards, according to Ng at Trend Micro. After a round of emails on the subject, in which the “manager” conveyed a sense of urgency, the employee went out and bought 20 iTunes cards worth 2,000 Singaporean dollars, then took photos of the scratch-off code on each card and sent them via email. Only later did it become clear the real manager didn’t know anything about the request.
For scammers, these smaller amounts can add up to millions of dollars, says Mike Opacity, senior director of Threat Monitoring at ADP. The company’s fraud unit helps protect both ADP and its clients from internet scammers, who have only gotten more skilled. “The people we see engaged in this kind of activity, that’s their profession,” Opacity says.
The rise of remote working during the pandemic has revealed many new challenges for business security. People working from home might be using personal devices that are shared with other family members, which creates network vulnerability. And despite their best efforts to be vigilant, most people’s behavior isn’t exactly the same at home as when they’re in the office.
“In the office, it was easy to ask somebody if they sent something. Now it’s more asynchronous,” ADP’s Opacity says. “Because of the way we’re working during the pandemic, there’s a slightly higher chance of success.”
Many scammers succeed by faking urgency, Opacity explains. They might forge an email from the CFO to HR asking for employees’ tax forms, and in a rush to appease the executive, an unwitting employee sends the report.
“The whole concept of social engineering is to get someone with access to buy into your story and instill a sense of panic, so they don’t think twice about doing what you ask them to do,” Opacity says.
As people have gotten busier and relied more on electronic communications — especially during the pandemic — they’ve become less likely to pick up the phone and verify, he adds. In an office, you might pop over to the person’s desk or dial their extension to confirm a request. That’s more difficult when working remotely.
In addition to instilling urgency, scammers often do a lot of research in the pre-attack phase to understand the target company and its leadership, says Ryan Flores, senior manager of APAC forward-looking threat research at Trend Micro.
“In most cases, the information on the CEO and top executive are on the company websites, including email and phone number,” Flores says. “This makes it easier for attackers to impersonate them and directly target people who report to these executives.”
BEC scammers also scan LinkedIn for CEO profiles of particularly profitable industries such as oil and gas or manufacturing to find potential targets.
“More sophisticated BEC attackers sometimes send keyloggers into a company and learn about how it conducts business and what are the ongoing transactions so that they can insert themselves into these conversations,” Flores says. “The availability of the information and investing in the preparatory phase before the actual BEC payment email — this is what makes them successful.”
Crucial lines of defense
Companies can take precautions to protect against BECs, with employees representing a crucial line of defense. Since BEC is primarily based on social engineering, a well-established system of protocols that apply to all employees, from the CEO to the newest recruit, can help to mitigate risks.
For example, instead of hitting “reply-to” for emails related to financial information, workers should create a new email to the email directory, or follow up with a phone call, according to Opacity.
Employees should also be careful about what they post on social media, says Timothy Ogden, vice president of Global Fraud Prevention and Financial Crimes at ADP.
“Sharing things on social media can tell some crook that you’re on vacation; the same is true of bank account or payroll account compromising,” Ogden says.
If your organization is hit by a scam, acting quickly can help mitigate the damage. For cases of fraud involving bank accounts within the U.S., the FBI can sometimes intercept payments before they’re lost. In 2020, officials with the Recovery Asset Team were able to freeze $380 million in payments to scammers.
ADP’s security team helps clients who fall victim to BEC scams. That’s in part because the scams are so common but so complex that they can overwhelm law enforcement.
“The criminals are often out of jurisdiction. The FBI has so many incidents, they’re probably working only on the biggest ones,” Ogden says. “We tell the client, if you contact the police, please also send them our info.”
Ultimately, after the city of Ocala fell victim to a BEC scam, government officials undertook an extensive review of their internal policies to ensure that they would not repeat the experience. The senior account specialist resigned.
But innovative BEC scammers are constantly coming up with new ways to access sensitive information. In addition to strict security processes, the most crucial tools to protect against scammers are knowledge and vigilance.
Sign up to keep up to date with ReThink Quarterly.