Detekce a prevence kybernetických hrozeb

Business Email Compromise[1] is a type of scam attack where an attacker impersonates an executive (typically the CEO), and attempts to get an employee, customer, or vendor to transfer money or sensitive information to the attacker.

The BEC scam could be linked to other forms of fraud like a romance, lottery, employment, and rental scams.

By the definition of FBI the BEC is a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.[2]

Unlike a traditional phishing attack, BEC is targeted at a certain individual or organization. In the case of BEC, the attacker prepares for the attack very thoroughly and tries to obtain maximum information about the victim before the attack takes place. Usually they use websites, annual reports, information about the organization´s employees from social networks, from compromised email accounts, etc.

This high level of targeting helps these email scams to slip through spam filters and evade email whitelisting campaigns. It can also make it much, much harder for employees to recognize the email is not legitimate.[3]

The victims of the BEC scam range from small businesses to large corporations. The BEC scam is linked to other forms of fraud, including but not limited to: romance, lottery, employment, and rental scams.

The FBI warned that BEC scams would likely „continue to grow, evolve, and target businesses of all sizes.” The FBI also mentioned that they’ve seen a 1,300% increase in business email compromise attacks since January 2015.[4]

The BEC attackers rely heavily on social engineering tactics to trick unsuspecting employees and executives. Some of the sample email messages have subjects containing words such as request, payment, transfer, and urgent, among others. 

The BEC scam usually takes one of the following forms:

1.     CEO Fraud

Attackers pose as the company CEO or other company executive and send a spoofed email to employees with the ability to send wire transfers, and instruct them to send funds to the attackers.

2.     Fake Invoice[5]

A business, which often has a long standing relationship with a supplier, is requested to wire funds for invoice payment to an alternate, fraudulent account. The attacker typically approaches the victim via e-mail or telephone. An e-mail attack has typically a spoofed email source code (header) and subject of the request so it appears very similar to a legitimate request.

3.     Account Compromise

This attack is similar to Fake Invoice. The attacker uses an employee’s email account (hacked or spoofed), then sends an email to customers to announce them there has been a problem with their payment and they need to re-send it to a different account.

4.     Business Executive and Attorney Impersonation

Victims are contacted by attackers, who identify themselves as lawyers or representatives of law firms. The attacker requests a large funds transfer to help settle a legal dispute or pay an overdue bill. The attacker is trying to convince victims that the transfer is confidential and time-sensitive, so it is less likely that the employee will attempt to confirm whether they should transfer the funds.

5.     Data Theft

A type of BEC whose goal is not a direct money transfer. Typical victims of that attack include finance or HR departments /employees. The attacker is requests them to send highly sensitive to his account. The social engineering is used and the data theft attack can be a starting point to the above mentioned BEC attacks focused on financial transfer.

Since 2017, there has been a dramatic increase in fraudulent attacks having the character of BEC in the Czech Republic. Yet again, most BEC attacks use similar modus operandi:

1.     Picking a victim and obtaining information about the victim (medium-sized and small organizations are the most common target)

2.     Preparation of a spoofed email (to create a spoofed email, publicly available free services are used very often, e.g.: www.5ymail.com. This service allows the attacker to create and send any spoofed email which corresponds to an existing email. However, this service does not make it possible to receive answers and therefore it is necessary to redirect the email communication to another existing email, registered e.g. with a freemail service. The real identity can be found from the message source code.)

3.     Sending a spoofed email to an employee of the victim (the most frequent BEC attacks include CEO Fraud and Fake Invoice. Sums required in this way usually range from several hundred euros to € 4000.)

4.     Request for an immediate or “urgent” transfer of money to an account of the attacker or money mules [validation of the payment, as well as of the person who gives the command to make the payment, is the key moment when the completion of the criminal act can be prevented. If the organization has appropriately set up security protocols, such transfer usually does not take place. From the point of view of identification of the attacker, the attacker´s account, or the account of money mules, is the tool which makes it possible to determine in practice whether it is the case of continuation of a criminal act (i.e. from the point of view of substantive criminal law one criminal act) or whether it is a case of concurrence of criminal acts. At the same time, it is de facto the most significant digital footprint which allows identification of the attacker.]

5.     Money transfer to an account of the attacker or money mules