General security

How to Recover from A Business Email Compromise (BEC) Attack

Hannah George
May 10, 2018 by
Hannah George

Business email compromise (BEC) is one of the most devastating, and costly, cyber attacks of all time — it's estimated organizations lose over $130,000 per BEC incident.

According to the FBI, BEC attacks start with a phishing email by either compromising the business email account via social engineering or by using some computer intrusion technique to transfer funds. It is easy for the cyber attacker to extract the job title, email address and other pertinent contact information by conducting a thorough LinkedIn search.

It is important to note there are also "scraping" tools that are available to dig deeper into these profiles to get this contact information as well.

In 2016, many successful businesses and corporations were victimized by such attacks. Examples of this include Snapchat, Seagate and Sprouts Farmer's Market. Also, Pivotal Software (located in San Francisco) was impacted as well.

The security breach was initiated through a fake email from the CEO that requested confidential employee information. The W-2 information shared included employee names, addresses, taxpayer identification numbers, 2015 income details and social security numbers.

How to Report & Recover Money Lost in A BEC Attack

Unlike other types of cyber threats, the BEC attack does not always involve the use of malware. Because of this, there is hardly any sort of forensic evidence left behind, thus making it all that much harder to track down the cyber attacker.

The financial impact, however, can be very devastating and last for a long time to come. After it's discovered the money transfer was unauthorized, every attempt should be made to recover the funds. This can be done by immediately contacting the FBI. They have a task force that specializes in these kinds of cybercrimes. Although chances of recovering the funds is always slim and could take a long time, this is still one of the best avenues to take.

Why Are BEC Attacks Hard to Reverse?

Since cyber attackers always ask for money via wire transfer, it can be quite difficult to reverse the transaction. Once your bank begins the process of sending money to the cyber attacker, a payment order is created which is sent through one or more interbank networks. The payment is completed once the bank of the cyber attacker accepts the payment order.

In most instances, the wire transfer begins almost immediately when the transaction occurs between the same banks. But, If the wire transfer is being sent between two different banks, then it can take 1 to 2 days for the transaction to be completed. International wire transfers can take a few days longer, perhaps even up to a week.

Once the payment order is accepted, it cannot be reversed. The only way a wire transfer can be reversed is if the originating bank sends a cancellation notice to the recipient bank before the payment order is accepted by the recipient bank.

It is important to note there are a few circumstances that will allow for the reversal of the wire transfer. This is possible only if the bank made a mistake, when the payment order was duplicated or if the amount transferred is greater than what the beneficiary was entitled to actually receive. In other words, the window for recovering the funds is very short.

All entities need a cybersecurity policy for the mitigation of BEC attacks because being proactive is still the most effective way to help recover lost funds. Once the policy has been implemented, its effectiveness should be carefully monitored.

If your business ever falls prey to a BEC attack, it must be documented. According to the FBI, if the attack is recent, then you must contact the local branch office of the agency. In this regard, the FBI works closely with the U.S. Department of Treasury Financial Crime Enforcement Network to locate the whereabouts of your funds.

What Information Needs to Be Documented?

The following items need to be noted:

  • The name and location of the organization, the bank name and the bank account number.
  • The name of the recipient, their bank name and account number, as well as the location and name of the intermediary bank name, if this information is available.
  • The SWIFT number of the bank, the amount of the particular transaction and any other relevant information like the FFC.
  • Along with reporting the incident to the FBI, the victim organization is also required to notify its insurers, shareholders and conduct damage control to the greatest extent that is possible.

It is always important to conduct a forensics investigation in order to determine how the BEC attack actually occurred. This will help you determine what cybersecurity tools you can use in the future to help prevent this from occurring again.

How to Report the Attack

If you ever need to report a BEC attack, here are some other law enforcement agencies that you can reach out to as well:

Hannah George
Hannah George

I am Hannah George. I am positivity engager, tech blogger & coffee addict. I have a degree in Journalism and Modern Greek Studies from San Francisco State University. Writing is my passion and I write about tech news, trends, new apps and other tangentially related topics with a particular interest in wearables and exercise tech. When I am not writing, I go out biking on long trails. I live in San Francisco with my pet cat Sushi.