Business email compromise (BEC) scams are a burgeoning threat for organizations and, despite rising awareness, new victims are cropping up daily.
BEC scammers don’t care what business the potential targets are in: all they care is that they have money that can be stolen – preferably lots of it – and that they have vulnerabilities they can exploit to pull off the heist.
Four major BEC fraud techniques
“The most common misconception about BEC scams is that the threat is limited to direct attacks on your own email environment, and that controls and controls training should focus only on direct attacks,” Danny Thompson, SVP of market and product strategy at APEX Analytix, told Help Net Security.
“Supplier email environments will get compromised and bad actors will divert supplier payments to their accounts. That makes your supplier’s BEC problem, your BEC problem.”
Cybercriminals have become increasingly sophisticated in their methods of carrying out BEC, he says, but four major techniques are generally at play: supplier spoofing, executive spoofing, credential harvesting, and exploitation of group user IDs or email addresses.
Supplier spoofing occurs when fraudulent bank accounts are included on emailed invoices or contained in emailed bank account change requests that appear to be from a company’s supplier. Executive spoofing involves a fraudulent bank account change contained in an urgent change request from (ostensibly) the paying company’s CEO.
These requests usually come from email addresses that are, at first glance, indistinguishable from legitimate ones. The latter are also likely to occur on the day before a major holiday, when the more experienced vendor master maintenance teams or supervisors are away from the office, leaving inexperienced staff with the choice of executing the request or defying the CEO.
Next: Attackers that have managed to gain access to a supplier’s emails and have harvested credentials for their accounts on customer websites and supplier portals can enter fraudulent bank account changes directly into the accounts.
“Credential harvesting is of particular risk because many supplier information management portals lack sophisticated login controls such as multi-factor authentication,” Thompson noted, and said that these well-informed fraud attempts often slip through normal accounts payable (AP) controls because of the credibility of information included in the requests.
Finally: Some companies use a generic email address to communicate with their customers – whether by email or as a login ID for their supplier information management portal.
“Disgruntled employees on their way out or soon after departure retain access to these credentials and can submit a bank account change request to their personal accounts. In these cases, everything about the request comes from a legitimate channel, making it much harder to identify and prevent,” he explained.
BEC fraud by insiders
Working at a provider of supplier portal software and AP recovery audit services, Thompson is the right person to ask about whether BEC fraud is sometimes initiated or facilitated by an insider.
“We have seen several instances of BEC fraud where the timing of the attack certainly suggested an insider was involved. These are cases where the fraudulent bank account change request coincided with the day unusually large payment was due. This often occurs when key members of the controls process are out of the office, typically just before a long holiday break,” he shared.
“The suspects in these scenarios are: insiders in the supplying organization, third parties who have gained access to the accounts receivable (AR) or accounts payable records (either through the supplier’s or the buyer’s systems) or insiders in the buying or supplying organization. Over the years, we have found enough cases of insider fraud or insider/outsider conspiracies to conclude that insiders are very likely involved in BEC fraud.”
While employees in procurement, AP, treasury and vendor maintenance and their counterparts in billing and AR should definitely receive regular training on scams, he says that some training should be limited to those specifically responsible for bank account change controls.
“The reason to limit some training is the risk of insider fraud. According to the Association of Certified Fraud Examiners, the majority of occupational fraud incidents originate in accounting. Of course, the more one knows about the control environment, the more likely one is to find a way around those controls. So, it is important that some controls remain a mystery to the broader procure-to-pay and order-to-cash population.”
Tackling the BEC problem
When the BEC problem started gaining prominence years ago, it caught a lot of organizations by surprise.
New technology like deepfake video and especially audio has been and is sure to be used more by scammers, invalidating traditional, best-practice controls for bank account change requests such as a call-back to the supplier contact on record.
He expects more and more companies to refuse to accept bank account change requests through traditional channels (invoice, mail, phone, fax or email) and to only accept bank account changes through secure portals.
This will be followed by a rise in compromise of supplier login credentials in cases where the supplier portal software provider has failed to implement controls that match the threat, including multi-factor authentication, whitelisting/blacklisting (of email domains, IP addresses and suspicious banks, and user behavior pattern tracking to identify suspicious activity.
“My advice for the CISO of any large organization is to implement new controls that have become available, ones that are less dependent on humans, to prevent this type of BEC fraud,” he noted.
“These controls include everything from online behavior pattern tracking to actual bank account ownership validation, where bank account change requests are validated in real time against the banking system to confirm that the owner of the payee bank account is the supplier. This validation process will ideally be integrated directly into the bank account change request and approval process, as the ultimate check to prevent payment fraud.”