Meet Betty. Betty works in the finance department of Teapots Inc., and is responsible for managing payments to their suppliers. Last Tuesday she received an email from his boss, saying that a new supplier needed paying urgently to help secure a very important teapot contract. The sum was £50,000, and it needed to happen as soon as possible because he was on holiday and didn’t want to worry about it anymore. This all seemed legitimate to Betty. She knew her boss was on holiday, as she had seen photos of his Caribbean getaway posted on Facebook just yesterday. The email it came from looked genuine, so she had no reason to believe it wasn’t really her boss.
Of course, it wasn’t. But you knew I was going to say that.
But this was not your average, balaclava wearing Google images fraudster. This fraudster had done a lot of research, patiently waited for the right moment and was very skilled in the art of psychological manipulation. Oh, we should probably mention that this was a real incident, though the firm wished to remain anonymous. In the end, they lost £150,000 to the fraudster, believing him to be a genuine supplier. Betty the finance director was fired. But this style of manipulation, known as business email compromise of CEO fraud, is actually increasingly common as cyber awareness starts to rise. Luckily, there is a big, clanging alarm bell that should be set off when you see a certain three words – ‘urgent’ ‘payment’ and ‘request’.
A Business Email Compromise (or BEC) is a form of phishing attack, where a cybercriminal impersonates an executive (often the CEO) of the business and attempts to get an employee, customer or vendor to transfer money or sensitive information to them directly. As you can see in the example above, this type of phishing attempt is often more sophisticated than standard email phishing, and often requires a lot more legwork. This might be why we haven’t seen much of this type of attack in the news until now – it simply wasn’t as common. But in March, the US Department of Justice arrested a 48-year-old Lithuania man for stealing more than $100m (£80m) from two internet based businesses using this method between 2013 and 2015.
Unlike traditional phishing attacks, which target a huge number of individuals within the company in hopes of snaring one, BEC attacks are highly focussed and carefully planned. The attackers will spend time scraping compromised inboxes, study recent company news and research their chosen employees on social media websites, all in an effort to make their attacks look as convincing and genuine as possible. This approach helps them get through spam filters, evade whitelisting campaigns and makes it much harder to recognise as a fake email.
A BEC attack usually starts with the attacker phishing a high-level executive – not to steal information, but to gain access to their inbox. One they have gained access to the inbox, the attacker is able to study the information within and formulate their plan. These attacks usually come in 4 guises:
1) CEO Fraud. This is the type of attack we saw above. Once the attacker has access, they will email another employee from the CEO’s account requesting money be sent to an account that the hacker owns. It will almost always be labelled as an urgent payment request, and will be phrased in a way that encourages the employee to act quickly.
2) Fake Invoices. In this scenario, the attacker looks through the executive’s email account for an invoice or bill that is due soon, preferably for a large amount. They will then contact the finance team and ask them to change the payment location to their own account.
3) Account Compromise. Similar to the fake invoice approach, account compromise involves hacking an employee’s account, and then emailing customers to alert them that there was a problem with their payment and they need to re-send it to a different account.
4) Data Theft. This is the only BEC attack that doesn’t aim to get funds transferred to the attacker. In this case, the attacker will be requesting sensitive information to be sent instead, primarily from finance and HR departments. These attacks are usually the starting point for a larger, or more damaging attack.
So what can we learn from this? Well, that our email security should be as much of a high priority as the rest of our cyber security. All too often, I see business owners who rely on their hosting provider for email, protection, without putting any precautions in place themselves. This is just setting up a ticking time bomb, waiting to fall apart, either because you have been hacked or your provider has. For more information or advice on how to secure your emails against attack, get in touch with us today for your free consultation.