Phishing

Top types of Business Email Compromise [BEC]

Kurt Ellzey
December 4, 2019 by
Kurt Ellzey

"Hallo! I am Prince Thereisnodana Thereisonlyzuul from Nigeria. I am in need of business partner in the States of United for which I am willing to pay $40 Million Dollar US." 

When the average person hears about an email scam or a phishing scam, they more often than not think of something like the above — broken English, bad email addresses, obviously fake links, the works. But while these emails are some of the worst forms of spam in the world, they also are highly profitable for the people doing them. How is that possible? 

Strengthen security awareness with human risk management

Strengthen security awareness with human risk management

Infosec HRM, powered by Right-Hand Cybersecurity, provides alert-based training nudges to minimize human risk at your organization. 

At first glance, you would think that if they hired a native English speaker and dialed down some of the obvious eccentricities, it would be a far more effective scam. There are theories out there, however, that this is done deliberately as a filter to target a very specific kind of person. And like it or not, they seem to be right.

This brings us to a more dangerous point: targeted phishing emails and Business Email Compromise scams. Like we mentioned before, it would seem that dialing up the scam can actually be more effective, and sadly, BEC scams prove just how dangerous this can be.

The big three

According to the FBI, there are three main variants of BEC scams: 

The bogus invoice scheme

This scenario usually involves faking a message from an organization that the target knows well. The target receives a request to send payment to a specific account, which appears to be from this organization. The message seems as close to genuine as possible, and without detailed examination, it may just fly under the radar and be processed as normal. 

CEO fraud

This scenario revolves around hijacking the email address of an executive in the organization and sending false emails from this account to other employees in the organization that typically handle financial requests. They'll send emails requesting various purchases, wire transfers and other financial transactions, all while looking like legitimate emails. 

Account compromise

This combines aspects of both the bogus invoice scheme and CEO fraud. Instead of sending emails internally from a compromised account, the messages are sent out to other organizations or contacts the user would have access to. These often include invoices and payment requests for the other organizations.

Practical examples

We see what these BEC types can do, but it may be difficult to wrap our heads around it without some practical examples. Let’s take a look:

Tax threats

These revolve around calls claiming to be from the tax gatherers or a related organization, and they typically use high-pressure tactics: “You owe us money now now now or else you're going to jail no don't hang up or you're going to jail don't make me get my manager on the phone now now now now!" 

Fortunately, this is one of the easier ones to verify, especially if you handle your tax information on a regular basis. That being said, this particular scam can be quite effective because of one simple fact: “Don't mess with the IRS." People don’t want to attract the ire of the tax collectors and will often pay up out of fear.

Travel problems

Travel-based scams tend to revolve around an email or text message impersonating someone. This message says that they've been robbed while traveling abroad and need you to send them money quickly. Again, this can be checked quickly, especially if the person the message claims to be from is having lunch right down the hall.

Fake charities

Fake charities pop up around the holidays simply because there are so many people that want to help others, especially around this particular time of year. All it usually takes is a phone call from someone saying "Hello, this is John McClane from the local branch of DH. We're looking for any donations that your organization may be willing to assist with. How much can I put you down for?" That's all there is to it. Initial searches may show basic identities and confirm preliminary information, but this is where a few particular tools can be highly useful for verification. 

The Wayback Machine archives as much of the web as they can manage — which at this point is quite a lot. The higher-profile the site is, the more likely it is that they have versions of the page going back years, or even decades. For example, if you take a look at the archive for redcross.org, there are snapshots of this particular site going back all the way to 1996. If the charity hasn't been around long enough to get more than a handful of snapshots, they'll definitely need to go through considerably more vetting before you send them anything.

Things to watch out for

Fortunately, at the present time there are still ways to catch potential BEC scams before they have a chance to hurt an individual or an organization. They all usually revolve around common themes:

Who is sending this?

Especially for large organizations, it may be very unusual for an invoice or request for payment to be coming directly from an executive. 

Why a wire transfer?

In an era where nearly everyone and their dog has a PayPal or similar type of account, it can be a bit of a surprise that organizations charging upwards of $25 per transfer are still around. Wire transfers seem to be one of the preferred methods of getting cash from a target, so if this request happens, it may raise some red flags to check further.

Gift cards

Another one that seems to be taking off quickly is redeemed gift cards, such as those from Apple. The scammer requests  that X number of dollars in gift cards be purchased and a picture of the scratched-off barcodes on the back sent to them. These cards are as good as cash and considerably faster to transfer, so verifying who you're actually sending this information to is a very good thing.

Dating sites

I honestly didn't think about this until I started doing research for this article, but preying on singles, both male and female, through the use of dating websites is extremely lucrative for BEC scams. They'll get talking, spend a few days going back and forth then ask for something like a wire transfer or gift cards listed above. The person will of course want to help, so they may end up doing it several times. 

As always, be wary of who you're talking to online if you are not absolutely certain who that person is on the other end.

Urgency

This is one element that always seems to come up: they need it now. It doesn't matter what it is, they need it now, before you can think about it or call somebody else. 

If this is happening, just stop. Take a breath and back away from the situation for a minute. Think about what's happening and run the conversations and events through your head to see if anything doesn't quite add up. Perform any verifications you need; if you don't, it could be very hazardous to you, your financial wellbeing and that of your organization.

Staying safe from BEC

Sadly, BEC scams and various types of situations like them are not going away anytime soon. The best way to defend yourself and your organization is to have security methods in place that can at least delay someone’s ability to easily target persons of interest within your organization. 

Whether you decide to go with digital signatures, code phrases, encrypted communications or an in-house system, the first thing to do is always make sure that your users are aware of the situation that they may find themselves in. Users need to understand why this situation is so important and what they can do about it.

For more tips, Read our article, How to prevent business email compromise.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Kurt Ellzey
Kurt Ellzey

Kurt Ellzey has worked in IT for the past 12 years, with a specialization in Information Security. During that time, he has covered a broad swath of IT tasks from system administration to application development and beyond. He has contributed to a book published in 2013 entitled "Security 3.0" which is currently available on Amazon and other retailers.