Business Email Compromise (BEC): How To Avoid CEO Fraud
Introduction
Phishers, especially the type that specialize in high-level CEO fraud, are often large criminal organizations with expertise in exploiting open ports in firewalls, both technical and human. Systems must provide a port to handle everyday email traffic. Phishers, however, use it to infiltrate a system with three basic objectives:
- Interest and exploration
- Disruption and destruction
- Ransom and financial gain
The first is usually composed of young programmers looking for personal validation by doing something that is supposed to be difficult. Perpetrators of the second type are generally protesters looking to advance an agenda. The last type is composed of criminals simply looking to steal money, data or resources.
See Infosec IQ in action
Today we will talk about this latter type of attack, specifically the attacks focused on residents of the C-suite.
What Is CEO Fraud?
The idea a CEO would send a request for a funds transfer seems almost harmless when you consider the number of frightening alternatives that rely on convincing a member of the C-suite to reveal vital personal or corporate data. Business email compromise (BEC) often pivots on making one single penetration, obtaining credentials, and then being able to manipulate and maneuver events, documents or people into performing tasks with the full authority of a highly placed official. For this reason, it’s dangerous to have a corporate structure in which one person would be able to issue verbal orders (with no paper trail) that could result in security and financial instability for the company.
How does CEO Fraud Work?
CEO fraud, or, more broadly, C-suite fraud, involves extensive observation and investigation about what sorts of financial or security/data activity occur through company email and memos. Phishers will infiltrate an email system and study it, sometimes for weeks or months without taking action. S/he will look at the exact wording of messages sent from the CEO to the CFO, looking for high-value messages ordering half-million dollar transfers to satellite offices in foreign countries, or similar profitable targets; they’ll study tone, emphasis, time of day, common names, technical jargon and so on until they can craft a memo or email in the exact style of the (presumed) author. From there, phishers will inject their fake email into the everyday stream of communications at exactly the right moment:
John: Per contract Dubai-012134, wire final payment of US$450,000 to the Dubai National Bank, International Code 063, Transit #84141, Account 4541070-221234, by 4:30 PM (EST) today. Wait for an e-receipt and forward it to me before 5 PM. Thanks. Mike
At first glance, the message appears just like a dozen others sent this week. It appears so commonplace that no one even questions it. The CFO puts it in the queue like any other order without reading for content anomalies. Even the receipt sent to the CEO would look perfectly ordinary and not attract any attention, possibly for days.
But as soon as that money hits the temporary foreign account, it is siphoned off to an account controlled by the criminals. It is used to buy untraceable cryptocurrency, such as Bitcoin, and vanishes, unrecoverable, never to be seen again. Currently, $450,000 becomes Ƀ55, which is portable enough to be carried around on a thumb drive and capable of buying anything you can imagine.
The worst part, aside from the financial blow of losing the money, is the damage to a company’s reputation when customers learn about the culpability in the crime by leadership.
How do Criminals Select their Targets?
How do criminals get the vital information they need to exploit you? Through the media, they can learn about important projects via publicity announcements; publically available or easily requested whitepapers can contain extensive details and information; and through these corporate communications, they can learn important key names, facts, budgets and timetables. It is good business practice to keep the public apprised of what is going on so they can make sound investment decisions (aside from the legal requirements), which is why this data is made public.
Your website upsells your company and lists who was recently hired or promoted, new budgets for projects and who was recently assigned to lead a new venture. This could reveal a target — an employee who might be insecure enough about their brand-new job to make a mistake, someone desperate to please their new employers to take all requests, even those that seem suspicious, at face value.
Because CEO fraud can yield the most lucrative results (why target someone with a $5,000 credit limit on their Visa card when you can get the head of a company to transfer half a million dollars with a single email?), the tools used by people who specialize in this type of BEC tend to be the most complex and elaborate.
Earlier this year, a ring of over 15 scammers were arrested for an elaborate, multi-level fraud scheme in which the heads of the scam appointed deputy employees, each of them setting up fraudulent law firms or notary organizations. These organizations funneled money requested from the CEO for services into Romanian bank accounts, which were then transferred and laundered through banks in Hong Kong. Several members of this group were arrested, but the heads of the organization remain at large.
CEO Fraud Starts With System Access
Getting into companies’ systems is sometimes much too easy. Sending an attempted phishing email to a broad swath of employees can often mean instant access, particularly when no training has taken place. One click on a deceptive link, or opening one attachment, can compromise an entire network in just a few seconds.
Of course, most companies have a gatekeeper program that detects these sorts of intrusions and prevents their delivery. Employees can come to think of themselves as protected so that anything they receive via email is automatically "safe." However, an experienced phisher or hacker will often use many different strategies, repeatedly and in varying order; consequently, the sheer overload of approaches eventually wears down human resistance such that one might manage to slip through.
How can I Prevent CEO Fraud?
Despite your best efforts, phishers might still get in via convincing email requests. Because of this, every transaction, whether financial or informational, needs to possess checks. You can automate some of them so obvious errors are immediately identified, but at the end of the day, you need a human on the job that has to confirm a number, speak to a second person and check authorizations before any significant transactions can be completed. You don’t want to insult the vanity of the members of your C-suite, but you also can’t let the privileges of the corporate hierarchy put your company at risk. The most successful element of a BEC fraud scam is one that involves a sense of urgency on the task being requested, implying that something vital hangs in the balance. And it’s these rushed, spur-of-the-moment decisions that often cause the most damage.
It cannot be a matter of a mouse click when dealing with large sums. Everyone in the decision chain needs to have to look up a real number, associated with a real account, enter that number manually and then verbally confirm that transaction with another person — no exceptions.
How Security Awareness Training Can Help
Your employees (and bosses) need tools and education in order to be ready to combat these sorts of intrusion attempts. The appropriate response cannot be what you do second, because that may already be too late.
Arriving in the guise of memos or emails apparently sent by a highly placed executive from the internal mail server, especially someone who doesn’t contact you regularly, can cause employees to panic. Externally, a demand from a known supplier for payment threatening legal action if funds aren’t delivered before day’s end causes people to make hasty and costly decisions. Your people need to believe you trust them enough to not react in a knee-jerk fashion when things don’t seem right.
In June 2016, the FBI reported BEC attacks had created losses of $3.1 billion dollars; 2017 losses exceeded $5.3 billion dollars. Statistically, you have probably already been a victim at least once, and unless you take action, you’re likely to be a victim again.
Final Thoughts
There are so many tools available nowadays to help protect us, it’s easy to fall into the casually dismissive attitude of "what could go wrong?" We have to make a concerted effort to protect ourselves. The way to do that is through education so we know how to make good decisions to protect ourselves and our company.
See Infosec IQ in action