Business email compromise scams still happening, still successful

Despite repeated warnings issued by law enforcement, information sharing organizations, and security companies, Business Email Compromise (BEC) scams still abound and the scammers still “earn” money.

“BEC attackers target senior-level employees rather than consumers as it’s easier to scam them out of large amounts. In one incident, we observed the scammers asking the target to transfer over US$370,000. By requesting large amounts of money, the scammers only need to be successful a couple of times to make a profit,” Symantec researchers explained.

“The FBI estimates that the amount lost to BEC between October 2013 and August 2015 was over $1.2 billion. With such huge returns, it’s unlikely that these scams will cease any time soon.”

C-level employees, especially CEOs and CFOs, have to be aware of the various techniques the scammers are using to trick them into transferring money.

More often than not, CFOs are the ones who receive the fake emails requesting the action. Usually, the email looks like it’s coming from the CEO – either because the email address was spoofed, looks very much like the legitimate one, or the attackers have first compromised the CEO’s email account and sent the email from there.

The scammers know whom to target: the names and email addresses of executives can often be found on the company website or on LinkedIn.

Sometimes the emails will be short and simple (“I need you to initiate a wire transfer for the company, confirm if you can process it today so i can forward you the instructions”, signed with the name of the CEO), sometimes lengthier (click on the screenshot to enlarge it):



The email will often claim that the CEO is traveling or in a meeting, so that the recipient won’t try to call to verify the request. Sometimes, as in the email above, the scammers will try to trick the CFO into not discussing the email with anyone else. The scammers will also often make it look as if the email was sent from a phone or iPad, so that the recipient does not become suspicious of the poor English used in the message.

“User education is the most effective means of protecting companies against BEC scam,” the researchers pointed out, and added that using two-factor authentication for initiating wire transfers is also a good way to prevent the scammers from succeeding.