For decades, fraudsters have attempted to separate people from their hard-earned money by purporting to be an exiled member of a royal family. Historically, this was done via phone calls and written letters to potential victims. Throughout the years, these “members” of the monarchy were able to successfully exploit peoples good will, and often greed, to steal untold amounts of money.
Fast forward to the internet age, and we have seen these fraudsters adapt their approach by using various technological methods to continue their reign of financial fraud. As email became ubiquitous, the “princes” started sending their pleas for financial help through online messages. As the world of technology continued to grow and mature, the fraudsters changed tactics yet again and have started using more sophisticated, and less obvious, methods to commit their financial crimes.
Long Live The Prince!
Business Email Compromise (BEC) Fraud Over the Years
Financial fraud as a result of a business email compromise has been around for years. Over time, the frequency of these attacks have increased significantly, and the methods of attack have become more sophisticated. Largely gone are the days of the exiled “prince” who is trying to get his money out of his home country, as the fraudsters turn to email and other technology as the primary medium to perpetrate their fraud. Based on an analysis using Recorded Future , “wire transfer fraud” dates as far back as 2007, and it’s reasonable to assume that these types of attacks were occurring before then.
According to the Internet Crime Complaint Center’s (IC3’s) 2022 Internet Crime Report, the number of complaints related to business email compromises has steadily risen from 19,369 in 2020 to 21,832 in 2022. The adjusted loss due to BEC has also risen from $1.86 billion in 2020 to $2.74 billion in 2022.
In 2022, the IC3 also saw a slight increase of targeting victims’ investment accounts instead of the traditional banking accounts. There was also an increasingly prevalent tactic by BEC bad actors of spoofing legitimate business phone numbers to confirm fraudulent banking details with victims. For one example, the victims report they have called a title company, realtor, etc., using a known phone number, and then find later the phone number has been spoofed.
Anatomy of a BEC
It is important to remember that most BEC threat actors are motivated by monetary gain. As a result, their efforts and activities will focus on how to leverage a compromised email account to perpetrate a financial fraud. With that in mind, let’s explore what they are actually doing.
The attacker normally does not care about the compromised user’s “name” but the role and responsibility they have in the company. Attackers look for someone in finance, accounting, a senior executive or other employee who would be able to influence financial transactions. Once the attacker has access to a compromised account, they will search the mailbox for finance-related terms, such as wire, payment, invoice, transfer, ach and payable, to determine if the compromised user might have an exploitable role. If the impacted user falls into one of those categories, the attacker will try to leverage their access to perpetrate a financial fraud. If the account doesn’t fall into this category, the attacker will try to leverage the compromised user’s contact list to launch a spam attack.
Once the attacker has gained a foothold in the user’s account, they will start to set up the necessary items to launch the attack. While the method of fraud will vary in the number of steps taken, in general, the attacker will insert themselves into the middle of a conversation with the compromised user and someone else, whether that be an internal or external source. Let’s take a look at a couple examples:
Internal: The fraudster poses as a company executive and demands that some type of financial transaction (wire transfer, purchase of gift cards, etc.) be performed. There will usually be a sense of urgency and frequent threats against the employee if the transaction is not carried out in a timely manner.
External: The fraudster will set up a spoofed email account that is almost identical to the compromised user and hijack a conversation. The attacker will then request changes to bank routing information or send a fake “past due” invoice and demand payment immediately.
The question frequently arises, how did the attacker get into the environment? There are several main techniques that we see:
• Phishing email
• Social engineering
• Brute-force attack using a previously exposed set of credentials from one of the many well-publicized data breaches (LinkedIn, Yahoo, etc.)
Then we will hear “What about multifactor authentication! We have that implemented; how could this happen?” Keep in mind that the attackers are always working to circumvent controls that put in place to block their access. There are a few trends used to bypass MFA:
• Set up phishing links so that the attacker is in the middle. When a user enters their MFA information, it is captured by the attacker and then leveraged to compromise the account.
• Rely on the user to get tired of the constant SMS/text messages and ultimately just accept the access request.
Attackers will also take steps to obfuscate their activity within a compromised account by creating mailbox rules to move messages with certain words or terms (e.g., “hacked,” “password,” “phishing,” “virus,” “delivery failure” and variations on the victim’s name and domain) to a seldom-used folder, such as the RSS folder or Deleted Items folder, and mark the message as being read. This process takes minimal effort but goes a long way to hiding any unauthorized activity in a compromised user’s email account.
We are starting to see a number of new trends once attackers have compromised a Microsoft 365 user account, where an attacker does not just compromise the email account and move on. Attackers are now leveraging their access within Microsoft 365 to:
• Access OneDrive and SharePoint to review and potentially exfiltrate data.
• Place applications in the Microsoft Azure environment to exfiltrate data.
• Leverage the Azure domain and virtual machines for launching other attacks.
So what can you do to protect your environment? There are a couple major categories:
• Have good internal controls surrounding changes to ACH/wire transfer information.
• Implement spending approval thresholds to minimize the impact of any potential financial loss.
• Verify payments and purchase requests outside of email communication. This can include direct phone calls that are made to a known verified number and do not rely on information or phone numbers sent via email.
• Mandate that all employees receive security awareness training at least annually.
• Have regular phishing training.
• Provide targeted training on specific types of threats for those in a position to impact financial transactions.
• Conduct periodic penetration assessments to test both the IT security infrastructure and social engineering prevention processes.
• Evaluate cybersecurity and privacy maturity compared with industry benchmarks to obtain a listing of gaps for future remediation.
• Maintain awareness of potentially spoofed “typo squatting” domains.
• Contact the originating financial institution as soon as fraud is recognized to request a recall or reversal, as well as a hold harmless letter or letter of indemnity.
• File a detailed complaint with www.ic3.gov. It is vital the complaint contain all required data in provided fields, including banking information.
• Visit www.ic3.gov for updated announcements regarding BEC trends and other fraud schemes targeting specific populations (real estate, pre-paid cards, W-2, etc.).
• Never make any payment changes without verifying with the intended recipient, and verify that email addresses are accurate when checking mail on a cell phone or other mobile device.
For additional information about how RSM can help you prepare for these ongoing threats, please visit https://rsmus.com/services/risk-fraud-cybersecurity/cybersecurity-business-vulnerability.html.
Authored by Sean Renshaw (Sean.Renshaw@rsmus.com) and Lisa Bertrand (Lisa.Bertrand@rsmcanada.com)