by Email Reputation Service Team
The FBI has issued a warning on the dramatic increase of Business Email Compromise (BEC) scams, swindling over US$2.3 billion from companies worldwide, notably the US and Europe. The scams do not discriminate, with targets ranging from small businesses to large corporations. All the perpetrators need is the company executive’s email address (or someone close, like their personal assistant) and the ability to make a convincing fake email.
This kind of scam, where fraudsters identify themselves as high-level executives, is also known as “CEO Fraud”. It has been around for quite a while, targeting big companies mainly from US and Europe, with the rest in Australia and other regions:
Figure 1. CEO Fraud Region Distribution
While there is a marked decrease in CEO fraud attacks in the US, it remains a top target for cybercriminals, along with Europe. As such, we can expect more of these in the coming months.
A big threat to businesses
Reported accounts of successful CEO fraud attacks show just how big of a threat the scam is to companies. In the announcement of FACC Operations GmBH, an airplane parts manufacturer that admitted to being hit by “cyber fraud” for no less than US$54 million. Another example is the French company Etna Industrie, whose Chief Executive Officer, Carole Gratzmuller, came back to work with her accountant having transferred US$542,000 to unknown foreign bank accounts—all at the behest of a faked email with Carole’s name.
Other BEC types, such as those that involve malware have caused big impact as well. Our report of the Olympic Vision BEC campaign that involved a toolkit that can be bought for only US$25 targeted companies from three different regions across the globe.
Such is its impact that the UK has stepped up and created the Joint Fraud Taskforce to aid in combatting financial fraud, as well as to bring more awareness among the general and corporate public.
Why is CEO Fraud such a big deal?
CEO Fraud, a type of Business Email Compromise (BEC), involves spoofing the email account of a company executive to wire sums of money to fraudulent accounts. By posing as the company’s CEO, fraudsters are able to siphon money off a company through crafty money transfer requests. It’s like spear phishing, except that the malware is usually optional or even nonexistent. What the cybercriminal does is make the email look credible and familiar enough that even the most eagle-eyed of secretaries won’t even suspect it as fake for a second.
Figure 2, 3, 4: Fake emails designed to ‘feel’ familiar and businesslike
But it’s not just the email that can be used in this scam. Like in the Etna Industrie incident, the email sent out that bears the CEO’s name came with phone call—from the ‘consultant’ who advised the company accountant to send money to foreign accounts, under the pretense of buying a company.
Figure 5: Sample content of fake email designed to trick the employee into hiding their activities, under the ruse of legitimate ‘covert tactics’
Of course, it’s not to say that malware won’t be used. As mentioned above, CEO Fraud is but one BEC method. Similar attacks have used malware, such as keyloggers. We have covered such attacks (Hawkeye, Predator Pain and Limitless), including those of Olympic Vision’s, that are simple, unsophisticated, and costs US$40 or less to the enterprising cybercriminal—which makes BEC scams much more of a threat due to their accessibility and ease of execution.
How to defend against BEC scams
Email-based threats with no malware payload (that is, a link or attachment) such as CEO fraud scams are especially trickier to detect. There’s also nothing for a traditional email security solution to flag or block because it is legitimate correspondence, even if the sender isn’t exactly being honest. Not only that, but it’s sent directly to its target—and combined with other elements (such as a phone call), it lends the scam an air of legitimacy that victims will be hard-pressed to suspect.
Despite its sophistication, CEO Fraud and other BEC scams are not impossible to protect against. It is important for companies to have protection that goes beyond traditional email threats, and is able to block email-based threats like CEO fraud that don’t involve malicious payloads.
Trend Micro is able to provide protection for both enterprises and small to medium sized businesses against BEC-related emails through our Social Engineering Attack Protection technology. Integrated with our InterScan Messaging Security and Hosted Email Security, this technology provides an additional layer of protection through inspection of email headers, social engineering tactics, and forged behaviors and the detection of BEC-related malware. These solutions are provided through the endpoint and email security capabilities of the Trend Micro Smart Protection Suites and Network Defense solutions.
One other key component in defending against BEC scams is employee education. All staff—from CEO to rank and file employee—must learn about the scams and what to do in the case that they are encountered.
A verification system where staff can properly contact and check with the CEO or senior members should be put in place immediately and enforced with the utmost strictness. An example would be a double-verification system where any important decision, even one made in the absence of the CEO, needs to be verified and double-checked by at least two points of contact.
For further reading on BEC threats and past campaigns, you may refer to the BEC webinar and our previous blog entry:
Additional insights and analysis by Marshall Chen, Luby Lien, Grant Chen, and Loseway Lu.