Billion-Dollar Scams: The Numbers Behind Business Email Compromise

Over the past three years, Business Email Compromise (BEC) schemes have caused at least $5.3 billion in total losses to approximately 24,000 enterprises around the world, according to the latest figures from the FBI. Since January 2015, there has been a 2,370% increase in identified exposed losses, amounting to an average loss of $218,000 per victim. The potential damage and effectiveness of these campaigns compelled the FBI to issue a public service announcement detailing how BEC scams work and how much damage it can cause to targeted employees and companies.

How do BEC Schemes work?

The FBI defines Business Email Compromise as a sophisticated email scam that targets businesses working with foreign partners that regularly perform wire transfer payments. Formerly known as the Man-in-the-Email scam, BEC typically starts when business executives’ email accounts are compromised and spoofed, with the fraudster sending emails to an unknowing employee instructing them to wire large sums of money to foreign accounts.

While some cases involve the use of malware, BEC schemes are known for relying purely on social engineering techniques, making them very hard to detect. Recent incidents showed how employees were duped by emails masquerading as legitimate messages coming from company executives asking for information.

The BEC scam has five versions:

Version 1: The Bogus Invoice Scheme

Also known as the “The Bogus Invoice Scheme”, “Supplier Swindle”, or the “Invoice Modification Scheme”, this version usually involves a business working with a foreign supplier. The customer is contacted by a fraudster via phone, fax, or email asking to change the payment location of the invoice or for funds to be wired for invoice payment to an alternate, fraudulent account.

Version 2: CEO Fraud

In this version, the fraudsters spoof a business executive’s email account. A request made seemingly on the behalf of the executive is then forwarded to a second employee requesting for a wire transfer to an account the fraudster controls. In some cases, the fraudulent request for an “urgent wire transfer” is sent directly to the financial institution with instructions to urgently send funds to a bank. This scam is also known as “CEO Fraud”, “Business Executive Scam”, “Masquerading”, and “Financial Industry Wire Fraud”.

Version 3: Account Compromise

An employee of business “A” has his email hacked, not spoofed. Requests for invoice payments are sent from this employee’s email to multiple vendors found on the employee’s contact list, usually involving requests for payments sent to fraudster-controlled accounts.

Version 4: Attorney Impersonation

In this version, the cybercriminal contacts either the employees and/or the CEO of the company and identify themselves as lawyers or representative of law firms, claiming to be handling confidential and time-sensitive matters. This contact, typically made via phone or e-mail, pressures the contacted party into acting quickly or secretly in handling the transfer of funds. This type of BEC scheme may be timed to occur at the end of the business day or work week, when employees are getting ready to rest and thus vulnerable to panic.

Version 5: Data Theft

This scheme involves the email of role-specific employees (usually human resources) in the company being compromised and then used to send requests – not for fund transfers but for personally-identifiable information of other employees and executives. This can therefore serve as a jump-off point for more damaging BEC attacks against the company itself.

Which countries are most affected by BEC Schemes

US and Non-US Targets

Which company positions are most faked in BEC Schemes

BEC schemes bank on social engineering techniques that involve posing as an employee of the target company. Based on monitoring of emails used for BEC schemes, cybercriminals most often use the position of the CEO in their attacks. The cybercriminals send emails posing as the company CEO and instruct their target to make money transfers. Other company positions seen used for BEC schemes are the company president and managing director.

CEO 31%

President 17%

Managing Director 15%

President and CEO 13%

General Manager 4%

Others 20%

Most targeted company positions fraudsters use

Which company positions are most targeted in BEC Schemes

Employees from companies’ finance department are found to the most targeted by BEC schemes. The CFO, or the Chief Finance Officer, was found to the be the most targeted in our monitoring. This make sense, considering the that these employees are most likely the ones in charge of tasks such as transferring funds to other parties.

CFO 40.38%

Director of Finance 9.62%

Financial Controller 5.77%

Finance Accountant 3.85%

Finance Director 3.85%

Others 36.53%

Most targeted recipients

What email subjects are most used in BEC Schemes

Despite the great impact BEC schemes have created, analyzing the flow of the attacks reveal that its components are surprisingly trivial. Analysis of the email subjects used in BEC schemes revealed that most are simple and vague, at times composed only of one word. However, the fact that such techniques are effective prove that they know their targets enough to elicit action.

Request For {day} {month}, {year}

Transfer

Request

Urgent

Transfer Request

Email subjects used

What are the cybercriminal tools used in BEC Schemes

The tools used in BEC schemes are also another indicator of how easy it is for cybercriminals to launch such an attack. Most malware used in BEC schemes are off-the-shelf variants, ones that can be easily purchased online for a cheap price. Some malware can be bought for as much as $50, while some are far cheaper, or even available for free.

Incidents in 2014 showed how cybercriminals went beyond common attack methods to steal information. In the campaigns that used Predator Pain and Limitless, the emails sent to targets contained a keylogger that sends information back to the cybercriminal. Similarly, in June 2015, two Nigerian cybercriminals preyed on SMBs using a simple keylogger called HawkEye. Another BEC campaign reported in March 2016 targeted 18 companies in the United States, Middle East, and Asia used Olympic Vision, a simple keylogger available online for $25.

[Update: INTERPOL arrests Nigerian mastermind behind multiple BEC, 419, and romance scams]

In March 2016, a growing line of corporations and businesses have fallen for similar schemes. Companies like Seagate and Snapchat were among the high-profile businesses that were victimized by email scams using the same modus.

Backdoors

HawkEye$35

Agent Tesla$9-$30

Knight Logger$25

Limitless$40

Predator Pain$40

DarkCometFree

Luminosity$39.99

Olympic Vision$25

Vulcan LoggerDonation

Keybase$50

Infinity$25-$35

Cyborg$30

Dracula$25

Other Cybercriminal tools

Email CrawlersFree

Mass Mailers$69

File scanners$30/month

Crypters$25-$60

Tools used in BEC

How can you defend your company from BEC?

Businesses are advised to educate employees on how BEC scams and other similar attacks work. These schemes do not require advanced technical skills, use tools and services widely available in the cybercriminal underground, and only needs a single compromised account to steal from a business. As such, here are some tips on how to stay safe from these online schemes:

BEC Components and What You Can Do About them

BEC-related items

• Piercing the HawkEye: How Nigerian Cybercriminals Used a Simple Keylogger to Prey on SMBs
• From Cybercrime to Cyberspying: Using Limitless Keylogger and Predator Pain
• Battling Business Email Compromise Fraud: How Do You Start?
• Olympic Vision Business Email Compromise Campaign Targets Middle East and Asia Pacific Companies
• US and European companies Top Targets of CEO Fraud
• Security 101: Business Email Compromise (BEC) Schemes