Business Email Compromise Scams Are On The Rise
There has been a surge in business email compromise (BEC) or email account compromise scams (EAC) in recent years, causing losses of Millions of Dollars every year to individuals, plus Small and Medium companies. This method of financial exploit by attackers target unwitting individuals, small and medium enterprises as well as large corporate companies. Since 2016, more than 8,000 BEC scam cases, cyber crimes and ransomware were recorded in Malaysia alone and more than $US26 billion in losses were reported in the United States of America.
For small and medium enterprises as well as corporate BEC/EAC fraud cases, the general modus operandi of this cybercrime is threefold – the break-in, the setup and finally the sting.
Attack Phase 1
First, the scammers select a target within the enterprise, that would normally be the accounts payable [AP] team to access their email addresses and other tools required for a successful scam.
Attack Phase 2
Second, the setup is where a ‘phishing’ email is sent and which contain codes or trojan script which, when clicked on by the user, allow the scammers to access the company emails and computer system. The scammers can then view the emails being sent and received by the company – including payments made to suppliers and invoices from contractors.
Attack Phase 3
Third, the scammers may spend days or weeks to understand the payments system, which contractors or suppliers are expecting to be paid, bank accounts used, purchase orders etc. The scammers then generate false invoices to be paid with different bank account numbers controlled by the scammers and send them with spoofed details – so the accounts payable believe they are paying genuine invoices from genuine suppliers or contractors.
The scammers often utilise strategies such as adjusting email rules which filter emails sent and received by the company account – deleting genuine supplier emails / invoices and substituting fake ones with the bank details used by the scammers.
Fraudsters may also send spoof emails impersonating the authoritative source or identity to engage in a credible deception, leading to an unauthorised fund transfer. The payment intended for the genuine supplier or contractor is this diverted to the scammers’ bank account. They then divert these payments overseas, and out of the reach of the company or law enforcement.
Meanwhile, the scammers continue to intercept emails from the genuine supplier or contractor, stating there is an issue with their payment and delay the genuine supplier from raising any issues. The scammers will continue to divert other payments for other suppliers and deleting emails from genuine suppliers or the accounts payable. This way, the scammers can defraud the victim of tens or hundreds of thousands of dollars.
Eventually, the scammers make mistakes or else the suppliers become annoyed with delayed payments and contact the victim company – only to learn that emails being sent are false and the payments have gone to third party bank accounts and are now missing. The scammers then attempt to delete logs and emails before disappearing to enjoy their loot, know that they are several steps ahead of law enforcement.
Methods to combat Business Email Compromise scams
There are several strategies which could protect a company from potential Business Email Compromise scams:
- Check sender’s email address: BEC/EAC scams generates a familiar looking email to deceive the recipient i.e. spoofed Tesco email could just look like firstname.lastname@example.org
- Contact the sender using a previously known phone number, not the ones in the spoofed email. This is best way to ensure that you are communicating with the right person.
- Multi-person approval procedures for large transactions is crucial to catching the deception in the event it was missed by the first layer of approval. Prevention is the key.
- Train employees to identify BEC using BEC simulations. They are your first responders to preventing this cybercrime from ever happening in your company.
- Cyber security software such as Scamwatch to defend against incoming fraudulent emails and analyses sender reputation, not as an afterthought.
- Know who to call in the event of a BEC breach. A contact list of senior staffs, banks, IT services, cyber security companies and CyberSecurity Malaysia (Cyber999).
Falsely leveraging your bank account
Business Email Compromise fraudsters also extend their cybercrime activities on to social media and on dating apps. Romance scams, where fake profiles are created on dating apps and on social media platforms such as Facebook, Instagram, Twitter etc. with the intent of creating a relation to help commit Business Email Compromise Scams. The fraudsters may ask to use the bank accounts of their victims to receive the scammed funds from the victim companies, before asking the funds to be sent overseas – possibly exposing the romance fraud victim to criminal offences of Money Laundering and Fraud.
Businesses in South East Asia should remain vigilant by putting in place a cyber security programme from incoming attacks as well as a plan to mitigate and fix incidents.