Business Email Compromise (BEC), also known as CEO Fraud, is the malicious scheme costing the business world billions of dollars. While the perpetrators tend to target large organisations, small to medium businesses caught out by the scheme have the most to lose, a cybersecurity expert warned.
Tim Bentley, Country Manager, Australia and New Zealand at Proofpoint recently spoke with Dynamic Business about the growing threat of BEC/CEO Fraud and what businesses can do to protect themselves.
What is Business Email Compromise ?
Bentley explained that BEC involves an attacker (or ‘actor’) exploiting an employee by posing as the CEO, CFO or company attorney and requesting a money transfer or sensitive information such as passwords and private employee details be sent across. Whilst the request comes through email it can be followed up by a phone call or an SMS to add further legitimacy.
“Actors are actually spending time researching the CFO/CEOs of Aussie companies (through social media) and finding out when they’re travelling,” Bentley explained. “They will then send an email to their EA or finance team and say something like, ‘As you know, I’m just about to board my flight to Thailand but before I go I need your help to urgently wire $100,000 to this BSB and Account Number. Please do it now as I’m boarding and won’t have reception for the next 10 hours’.”
The culprits are getting smarter
Bentley said that BEC is having a major impact on the business community both locally and abroad. At a recent Proofpoint webinar, he discovered that 90% of the 200 attendees (all c-level executives or IT directors/managers) had experienced at least one BEC attempt this year, and 46% had experienced more than ten attempts.
Bentley also pointed to the FBI’s announcement, earlier this year, that cases of BEC increased by 270% in 2015 and the scheme had cost businesses more than $2.3 billion between October 2013 and February 2016.
“This dwarfs losses from any other kind of attack including phishing, ransomware and credit card fraud,” he said. “Because it’s so lucrative, actors are only going to get smarter and more convincing. They are already researching employees’ social media platforms, websites and annual reports to gain vital intel and we can expect the level of research going into each attempt to increase.”
Once tricked, you stay on their radar
Bentley explained that BEC is a particularly important issue for Australia’s small to medium businesses as just one successful attack could potentially send them under.
“Our local experience has been that actors will go after all kinds of businesses – small and large,” he said. “The governing factor is how soft a target they think you are. 100K is 100K whether it comes from a business with deep pockets or shallow ones.
“Proofpoint has seen the same actors mercilessly target hospitals and surgeries with ransomware. The cost of system downtime could well be measured in terms of lives not dollars, so don’t expect to be overlooked by the same people just because you’re small.
“Last month, I met with a business with less than 50 employees that had wired six figures to an offshore bank because the attackers impersonated a C-level executive. One thing I know for certain is if you do wire money out, then the actor will increase their attention on you with more fraud in the near future.”
Four signs you’re being scammed
Bentley said there are a number of ‘tell-tale signs’ that an email has come from a fraudulent, rather than a genuine, source. The most popular giveaways include:
a request from the source to not discuss the email with others and to act urgently;
language, including tone, that’s out-of-character for the supposed sender;
non-local date formats, and
lookalike domains and email addresses that may fool someone at first glance (e.g. email@example.com and firstname.lastname@example.org).
Bentley identified three key things businesses can take to protect themselves:
Inform employees about BEC and educate them regarding what to look out for when it comes to fraudulent emails. If in any doubt over veracity, employees should be encouraged to check internally (not through email!) and raise flags.
Have multiple layers of approval – especially for new payees.
Employ simple technical protections such as email authentication (or verifying the IP address of the domain) and flagging for employees, whether it is an internal or external address.