Founder, Privacy PC

Author Bio ▼

David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking.
October 31, 2019


Lithium-Ion batteries. A guide to the fire risk that isn’t going away but can be managed

business email compromise

The growing threat of business email compromise (BEC) Attacks

Whereas regular users might think of BEC as just another acronym in their vocabulary, the concept behind it is shaping up to be a real disaster for numerous companies and security professionals around the world.

It stands for “business email compromise,” a stratagem that aims to defraud enterprises of money through a peculiar form of social engineering. The operators of such campaigns impersonate a trusted person from within or outside of an organization and attempt to dupe the employees into wiring funds to third-party bank accounts.

These email-borne scams are growing at a hugely disconcerting rate. According to a report by Proofpoint, BEC attacks saw a whopping 476% increase between Q4 2017 and Q4 2018.

The FBI says businesses lost more than $1.2 billion over this type of email fraud last year. Obviously, the statistics look scary, and the numbers continue to soar. What makes these dirty schemes so effective, and why is the issue escalating so rapidly? Let’s try to get the big picture by taking a deeper dive into this phenomenon.

What is BEC and its methods?

Although business email compromise (also referred to as “whaling”) lacks the sophistication inherent to most cyber-attacks, it may yield better results for the crooks due to its human-centric gist. People’s trust can be easier to exploit than software vulnerabilities, and the malefactors prefer to grab the low-hanging fruit.

Every BEC fraud starts with an email. The attacker usually tries to pass himself off as the targeted company’s CEO or another top-level executive who has sufficient authority to instruct employees from the Finance department to wire money to a specific account. In some cases, the impostor may impersonate a VIP customer or vendor the firm has an established business relationship with, sending a phony invoice in an attempt to get paid.

Both scenarios rely on preliminary reconnaissance tasked with harvesting details on the hierarchy of roles within the organization, wire transfer approval procedures, peculiarities of regular cross-functional communication, and the interaction with external parties, such as partners and clients. This information helps the criminals orchestrate their BEC campaigns without raising red flags.

A critical entry on the attacker’s to-do list is to make sure the phishing message looks as trustworthy as possible. One of the common methods of achieving this goal is what’s called email spoofing, where the sender fabricates the email header to make it look like the message comes from someone the recipient trusts. A telltale sign of this ploy is that the email addresses in the “From” and “Reply-to” fields won’t match.

In some cases, the phishers will use a faux “From” domain that closely resembles the original one. For instance, they may register a domain whose name contains a deliberate typo, misspelling, an extra dash, or “0” (zero) instead of “O.” An ever-busy accountant may overlook these inaccuracies and fall for the “urgent wire transfer” hoax.

Recent cases

Many BEC incidents don’t get publicity because the affected companies try to avoid reputational risks. Sometimes, though, the scammed entities report the attacks to law enforcement and spread the word about the issue. Below is a round-up of several large-scale phishing heists from this category that hit the headlines this year.

Portland Public Schools wired $2.9 million to fraudsters

A con artist was able to fool the employees at Portland Public Schools, the largest school district in Oregon, into sending $2.9 million to a rogue bank account. The incident reportedly took place in mid-August 2019. The perpetrator posed as a representative of a construction firm the district cooperates with.

The wire transfer was authorized by two staff members who are now on paid administrative leave. However, the investigation revealed that the BEC scam had been conducted from outside sources, and the employees aren’t under suspicion.

The good news is, all the funds were still at the receiving party’s bank account when the hoax was unearthed, and the district is in the process of recovering them. The educational entity is currently reviewing all its payment procedures and organizing mandatory phishing awareness training for the finance personnel.

The city of Griffin lost $800,000

The City of Griffin, Georgia, fell victim to a defiant BEC scam in late June 2019, with the losses totaling at roughly $800,000. The malicious actors succeeded in persuading a Finance Department official to give the green light on two separate wire transfers that ended up in the crooks’ hands.

The catch was that the phishing email was competently disguised as a message from a firm the city uses for water treatment facilities. The fraud was accompanied by a seemingly regular request to update the vendor’s bank account information. The city’s administration became aware of the hoax after the genuine contractor reached out to them, asking where their payment was.

According to the investigators’ findings, the criminals had most likely hacked the vendor’s IT system. The invoices looked authentic, and the thieves knew the accurate cost of the ongoing project. Unlike the Portland Public Schools incident described above, the City of Griffin has a very faint chance of returning the pilfered money.

Church parish defrauded of $1.75 million

St. Ambrose Catholic Parish in Brunswick, Ohio, lost a whopping $1.75 million in a phishing attack perpetrated in April 2019. The miscreants hoodwinked the staff into believing that a construction company working on a church repair and restoration project had switched to another bank. As a result, a scheduled portion of the funds was wired to the wrong account owned by the malefactors.

The investigation showed that the offenders had hacked email accounts of two employees and used this unauthorized access to manipulate the parish by means of credible-looking messages. The church has since filed insurance claims in an attempt to get partial compensation for the stolen money and address the obligation to the contractor.

Crooks get caught

Fortunately, these frauds don’t always end well for the felons. In June 2019, a resident of the Bronx named Muftau Adamu got a 51-month jail sentence for illegally obtaining more than $10 million via BEC and romance scams. Assisted by four co-conspirators, the man created a criminal enterprise based in the Republic of Ghana. The group used phishing emails to steal millions of dollars from businesses and elderly individuals across the United States between 2014 and 2018.

The money was laundered through multiple bank accounts, some of which were opened using bogus identities. U.S. law enforcement agencies were able to trace some of the fraudulent payments back to the gang and arrest its members. Besides the jail term, the ringleader was ordered to pay restitution of $443,000 to the victims. The accomplices got similar sentences.

Another scammer, a Nigerian man named Onyekachi Emmanuel Opara, is behind bars for attempting to steal $25 million through BEC attacks. He was sentenced to 50 months in jail and ordered to pay $2.54 million in restitution for his unlawful deeds. Opara reportedly zeroed in on thousands of businesses in multiple countries, including the United States, United Kingdom, Singapore, New Zealand, Australia, Sweden, and Switzerland between 2014 and 2016.

The criminal sent deceptive emails disguised as wire transfer requests from contractors or supervisors at the targeted organizations. His fellow conspirator, who pled guilty to one instance of wire fraud and identity theft, will have to serve a 41-month jail sentence and pay restitution of $1.4 million.

To throw the police off their trail, Opara created a fake profile of an attractive woman on a dating site. He leveraged this online persona to dupe the admirers into accepting his ill-gotten money and then transferring it to bank accounts overseas. Obviously, his OPSEC (operations security) didn’t work flawlessly as he was apprehended in Johannesburg, South Africa, and extradited to the U.S. in 2018.

The bottom line

The funds acquired in BEC schemes don’t always travel through traceable accounts, though. Even if they do, they hardly ever stay there for a long time. It means that in many cases, it’s impossible to recover the money and chase down the perpetrators. That being said, it’s of paramount importance for enterprises to make sure their employees know how to identify social engineering scams and what to do if a potential BEC message ends up in their inbox.

Minimal security measures include robust spam filtering, email authentication technologies like DKIM and SPF, VPN services. Besides, it is good to double-check all money transfers and monitor what information about your organization’s internal procedures is available online.

Download: The Smart Door Locks Report

Do you know how ready the security market is for smart door locks? Covering the drivers for adoption – as well as potential barriers and how to overcome them – this free, exclusive report brings you the latest on the smart door lock market and how you can adapt to this rapidly changing landscape.

Related Topics

Notify of
Inline Feedbacks
View all comments