Business Email Compromise / Email Account Compromise (BEC/EAC) is a rapidly evolving internet fraud that targets both businesses and the general public. BEC is targeted at businesses, whilst EAC is targeted at the general public. This fraud, also known as “man-in-the-email” attack, is usually targeted at businesses (small, medium, and large) or individuals working with foreign suppliers or who perform regular wire transfer payments.
It involves impersonating the legitimate owner of an email account to deceive company executives, suppliers, customers or employees into sending money, sensitive information or personally identifiable information (PII). If the victim deals with many suppliers, the perpetrators can send invoices to account personnel for urgent payment of goods or services.
Kinds of BEC
According to the United States (US) Federal Bureau of Investigation (FBI) Internet Crime Complaint Centre (IC3), there are five main forms of BEC.
Chief Executive fraud: This is when the compromised email account of a top executive in a company is used to request a wire transfer to a fraudulent account.
Account compromise: This is when an employee’s email account is compromised and used to request for payment of an invoice by a supposed customer to a fraudulent account.
Bogus invoice scheme: This is when a company, which has an established relationship with a supplier, is requested to wire funds for invoice payment to an alternate fraudulent account.
Attorney impersonation: This is when victims are contacted by fraudsters posing as lawyers to transfer funds to fraudulent accounts.
Data theft: This is when fraudulent e-mails are used to request either wage or tax statement forms or list of PII.
Tools used in BEC/EAC
The perpetrators of BEC/EAC mainly use the following techniques to target and exploit their victims:
Spoofing: This involves the use of fake email addresses that look legitimate in order to deceive victims. This is achieved using extremely similar domains or user IDs, or different top-level domains. Examples include using firstname.lastname@example.org to mimic email@example.com, firstname.lastname@example.org to mimic email@example.com and firstname.lastname@example.org to mimic email@example.com
Spear phishing: This involves the use of email to target a particular individual in order to obtain confidential information to be used to perpetrate the fraud.
Social engineering: This involves deceiving or manipulating individuals to disclose confidential information to be used to perpetrate the fraud.
Malware: This involves secretly installing malicious software on the victim’s computer in order to gain access to confidential information to be used to perpetrate the fraud.
Hacking: This involves gaining unauthorized access into an email account to send messages to perpetuate the fraud.
Current statistical data
According to IC3’s 2018 Internet Crime Report, BEC/EAC was the number 1 out of 33 different internet crimes by victim loss. It received over 20,000 BEC/EAC complaints with losses of approximately $1.3 billion in 2018 alone.
IC3 reports that, between May 2018 and July 2019, there was 100% increase in losses in relation to BEC/EAC globally. BEC has been reported in 177 countries and fraudulent transfers have been sent to about 140 countries, with China being the primary destination, whilst there is an increase in such transfers to the United Kingdom, Mexico and Turkey.
According to Dark Reading, 6.4 billion fake emails are sent worldwide, every day.
In the 451 Alliance Members Only Report dated September 18, 2019 and titled, “Addressing the #1 Concern of IT: Security”, a number of IT managers and security specialists were asked, “which one of the following poses the greatest data security threats to your organization?”. Figure 1 shows the responses from the respondents:
In March 2016, suspected Chinese cyber criminals used spoof emails to trick employees of SS&C Technologies, a financial technology company based in the U.S into sending $5.9 million to the criminals.
On September 10, 2019, the U.S. Department of Justice arrested 281 people and seized approximately $3.7 million in connection with a 4-month investigation into BEC scams. 74 were arrested in U.S, 167 in Nigeria, 18 in Turkey, 15 in Ghana, and the rest in France, Italy, U.K., Japan, Kenya and Malaysia. Investigations revealed that, they stole over 250,000 identities and filed over 10,000 fraudulent tax returns to receive over $91 million in refunds.
Protection against BEC/ EAC
The following actions can be taken to protect against BEC/EAC:
- Comprehensive awareness program should be instituted to conscientize people on the modus operandi of the perpetrators and preventive mechanisms.
- Avoid indiscriminate disclosure of one’s email address.
- Always ensure the sender’s email address is associated with the company it claims to originate from.
- Carefully scrutinize senders’ email addresses before acting on its instructions, especially when using mobile devices.
- Constantly use different media (phone calls or text messages) to authenticate the true sender of a suspicious email before acting on its instructions.
- Avoid providing login credentials or PII in response to emails.
- Regularly monitor financial accounts for anomalies.
- Companies / Company Executives should avoid the use of free email services such as yahoo mail, Gmail, Hotmail etc.
- The use of two-factor authentication (PIN/token in addition to a password) in accessing e-mail accounts is encouraged.
- Ensure mailing systems are configured to allow full display of email extensions.
- Always ensure software have the latest patches applied.
- Use technologies like spam filters, anti-malwares and anti-phishing tools to help curb this menace.
Sherrif Issah – (Consultant @ Digital Jewels Ltd. and Member: Institute of ICT Professionals, Ghana)
For comments, contact author firstname.lastname@example.org | Mobile: +233243835912