Business Email Compromise (BEC) continues to be one of the easiest means for sharks to fraud fish out of tens of thousands of dollars. Spotlighting Barbara Corcoran, real estate mogul and Shark Tank judge, we see very publicly the simplicity and effectiveness of these attacks. Anyone paying just a bit of attention will recognize the highly successful businesswoman and expect that to operate at her level requires a team of trusted individuals to help her run efficiently. By doing a bit of reconnaissance and research, an attacker determined that Barbara relied heavily upon her assistant Emily. A bit of deeper research and the attacker determined Barbara’s bookkeeper was Christine, who ultimately had the ability to wire funds. Using additional public data related to a development project in Germany that Barbara was a part of and legitimate company names associated with the project, the attacker had enough information to form a believable story to start the BEC. By registering a domain that was very similar to the one Emily used, the attacker created an invoice for $388,700.11 and created an email that appeared to send the invoice to Emily, to which the attacker then forwarded to Christine from the fake Emily account for payment. When Christine responded back via email for what project this related to and which account to apply it to, the attacker quickly referenced the development project in Germany along with the real company name associated with it. As everything appeared to be as expected, the invoice was paid via a wire transfer and the BEC was successful.
Thankfully in this case, the transfer was frozen by the German transferring bank before it was deposited in the attackers account in China. By noticing and alerting the banks quickly and a vigilant fraud department at the bank, all of the funds were returned to Barbara. In most cases, the outcome is not so positive. In the recently released FBI’s 2019 Internet Crime Report (https://pdf.ic3.gov/2019_IC3Report.pdf), BEC crimes were by far the most damaging and effective type of cybercrime. 23,775 victims (who reported) accounted for $1.77 Billion in losses which averages out to $75,000 per complaint. If you compare this to the average phishing compromise of $500/complaint or $4,400/complaint for ransomware, it is evident that BEC is a lucrative crime business. According to the FBI, the last calendar year saw both the highest number of complaints and the highest dollar losses reported since the center was established in May 2000.
At UHY, we expect to see high rates of BEC and ransomware to continue this year and likely rise. These require only a bit of online research, very little to no technical skills and cost to initiate and are highly effective. The criminals will continue to pursue the exploits that are easiest and most profitable to accomplish which is currently BEC and ransomware.
What are the best practices for us fish to stay safe? As with most attacks, a layered defense approach will work best. There are no perfect solutions, and vigilance and human intuition can be the best defense. Checking bank statements every day and performing a face-to-face or, at a minimum, a voice call to an approver before any significant wire transfer takes place are two significant controls to consider. Email and texting are not safe methods of authorizing or approving transfers. Often, if you can catch the transaction within 48 hours, you have a much greater chance of recovering fraudulent transfers. Additionally, the FBI recommends the following:
Further the FBI’s Internet Crime report listed the following recommendations:
Review and share these news stories and Internet Crime reports with your employees to continue awareness and vigilance. The sharks are always circling, and we need to stay aware.