Enterprises have been getting better and better at protecting their networks, endpoints, and data over the last few years, taking advantage of advances in technology and the knowledge gained from defending against millions of attacks. But attackers have not been resting, and they too have been upping their game and new statistics released by the FBI this week show that the bad guys are still really good at separating people from their money.
The FBI’s Internet Crime Complaint Center, which is a clearinghouse for all kinds of online scams, including phishing, vishing, credit card fraud, and even catfishing, keeps highly detailed stats on all of the complaints and crimes it tracks (as you might imagine). And the Bureau is nice enough to release a huge pile of that data to the public every year in the form of the Internet Crime Report, a comprehensive look at all the ways in which scammers, cybercriminals, and other assorted creeps have been stealing money and goods from consumers and businesses. All the usual suspects are here; your 419 scams, your credit card schemes, and even your confidence fraud (whatever that is), but the star of the show this year is the business email compromise scam.
This operation is sometimes known as the CEO scam, and the setup is elegantly simple. The attacker sends a well-crafted email to a specifically chosen victim, usually someone with a lot of financial authority in the target company. The message will have a spoofed email address, forged headers, and a signature block identical to that of the person the attacker is impersonating. The attacker typically is impersonating the CEO of the target company, and the email will direct the recipient to transfer a large amount of money to an outside account, sometimes at a fictitious new partner or supplier or sometimes for an urgent acquisition by the company. The victim makes the transfer, and the money then is immediately siphoned off into a series of other accounts, making it much more difficult to track or recover.
That’s it. It’s not much more complicated than a normal phishing attack, except for the twist of using the CEO’s authority to up the authenticity and urgency of the transaction. As simple as the scam sounds, it’s also deadly effective. The FBI’s report says that U.S. businesses lost $236 million to these email schemes in 2015. And it’s not just small or unsophisticated companies that are being targeted. Last summer, a large U.S. company with global interests lost $98 million in a BEC scam, some of which was recovered. But $25 million of the money is still in the wind. Belgian bank Crelan also was hit by this attack, losing $75 million in January. That’s serious money, even for a bank.
“The scam began to evolve in 2013 when victims indicated the email accounts of Chief Executive Officers or Chief Financial Officers of targeted businesses were hacked or spoofed, and wire payments were requested to be sent to fraudulent locations,” the FBI says in its report.
“BEC continued to evolve, and in 2014, victim businesses reported having personal emails compromised and multiple fraudulent requests for payment sent to vendors identified from their contact list. In 2015, victims reported being contacted by subjects posing as lawyers or law firms instructing them to make secret or time sensitive wire transfers.”
We have known how to defend against phishing for a long time. Email filtering and user education are the twin pillars of anti-phishing strategy, and those are the same two defenses that have to be in play to combat BEC scams. The user education piece is the most important one here, as businesses must train employees with financial authority about this scam, and also have crystal clear policies in place for how and under what authority transfers can be made. Without that, even highly evolved and sophisticated businesses will be soft targets for these scams for years to come.