In late 2015, SC Magazine's Max Metzger wrote about a next-generation phishing scheme dubbed "whaling," and how we would most likely see a substantial uptick in the frequency of these scams. Trend Micro mirrored this sentiment in a January blog post about business email compromises (BEC), noting that the FBI estimated losses among U.S. companies between October 2013 and August 2015 to be as high as $750 million – and counting.
Whether you know it as "whaling," "man-in-the-email scams," "BEC" or some other name, email fraud is a serious cyber threat that's causing problems in 2016.
What exactly is business email compromise?
Business email compromise is an offshoot of phishing, which is a social engineering tactic meant to trick authorized users into bypassing security gateways. This could take the form of fake job applications sent out to employers with malicious attachments that install ransomware, a link sent in an email to a seemingly legitimate online portal that's meant to steal login credentials, or any other form of targeted attack that manipulates legitimate users.
However, the motive is really what distinguishes BEC from other phishing scams. Rather than trying to infect a system with malware, or use login credentials in an attempt to sneak through the network in search of valuable data, hackers will use the breached email to pose as the account holder. Specifically, cyber attackers will go after the emails of high-level executives, requesting that money or sensitive information be sent directly to them. The result is a data breach or theft of company funds.
How serious is the problem?
In the past few months, there have been multiple high-profile examples of BEC that have had far-reaching consequences. The most damaging incident involved a Michigan investment firm. According to a Trend Micro blog post, one of the company's employees transferred $495,000 to a bank account in Hong Kong, per the request of a co-worker. Within eight days of the transfer, the company realized its mistake and went to the police. Unfortunately, it's unlikely that the firm will ever see that nearly half-million dollars again. Trend Micro noted that this isn't the first time that BEC has resulted in money being freely handed over to criminals. Last year, one Omaha-based company lost $17.2 million after an executive wired money to China in installments after being asked to in a seemingly legitimate email.
More recently, Verity Health Systems experienced a BEC that resulted in the compromise of employee data, including Social Security numbers, names, addresses and other personally identifiable information. After receiving a fraudulent email request from a company executive, one of the employees sent out W-2s belonging to workers. The request had been made on April 27, but it wasn't until May 22 that it was found to be a scam.
Going back a few months, the popular photo-sharing application, Snapchat, got caught up in similar incident when a hacker posed as founder and CEO, Evan Spiegel. The cyber criminal sent an email requesting payroll information to a subordinate, who then obliged, resulting in the theft of personally identifiable information belonging to approximately 700 current and former employees, according to the Washington Post. Unlike the messages sent over its popular consumer app, that's data that won't be disappearing any time soon, as the hacker no doubt had intentions to sell the information on the dark web.
How to beat BEC
The first and most obvious step that organizations should take to avoid being scammed out of money and data is to increase employee awareness. Whether it's through mandatory training forums or shared presentations, it's important that employees know what to look for, and that any unusual requests are validated through a more direct line of communication than email.
This level of vigilance is a start, but the important thing to understand about BEC is that an email account has to be hacked first. Often, this is the result of a phishing scam. Once hackers have access to an executive's email account, they can essentially make any request they want over email in a tone and style, and perhaps even context, that may seem fitting. Remember, breaking into an email account means that the cyber attacker has access to many former email threads. This can make it much easier to make a seemingly legitimate request that can harm an organization.
Thus, beating BEC really starts with taking a thorough, layered approach to securing email communications. It requires an email security solution that can identify malicious links before the message is even opened, and can sandbox keylogger malware and other cyber threats so as to know how they'll behave once executed. If you can stop phishing schemes in their tracks, you can prevent BEC.
In conclusion, business email compromise schemes can only be fought in two ways: through smarter practices among employees, and more importantly, better safeguards for email.