Jul 25 2016

The BEC – Not Your Grandfather’s Phishing Scheme

The BEC – Not Your Grandfather’s Phishing Scheme

The FBI has reported cyber criminals are using new tactics to steal millions from US companies. The schemes target companies that do business overseas, and use wire transfer of funds on a regular basis. The schemes is called a Business Email Compromise. As the name implies legitimate business emails are compromised through social engineering or direct cyber attack. This information is then used to make fraudulent wire transfers to banks, usually in China or Hong Kong, but always overseas.

Ic3At Layer 8 Security we’ve taken note of this form of attack for the last 18 months, but it’s on the rise, and critical to the point where the FBI felt the need to send an alert. So we wanted to the information along.

This is a highly targeted and sophisticated attack, not your Nigerian chest of gold or stranded relative  scheme. Cyber criminals select their victims carefully; they identify specific individuals and understand business protocols for the wire transfer before starting the BEC scam. There are numerous ways their reconnaissance can occur, but open source data hunting and social engineering is favored. Spear phishing is thought to be part of the process in order to gather such information as corporate travel dates, chain of command and documents about corporate culture.

Three of the most common BEC schemes are:

  • Compromised executive email, CEO or CFO accounts: Cyber criminals target mid-level managers who can initiate a  fraudulent wire transfer request  given from an executive. Often times this occurs when the executive is on vacation and can’t be easily reached.
  • Compromised vendor email accounts: overseas vendors that receive payments through wire transfer. Cyber criminals send information using the vendor’s email indicating a new bank account is to be used for all wire transfers.
  • Compromised employee email: Cyber criminals steal the account of an employee able to send invoice payment requests. Here the fraudulent email asks vendors to send their payments to a new bank account.

Between December 2015 and March 2016 the FBI tracked over $75 million stolen from US companies using a BEC scam. Most of these scams used a compromised executive’s email to initiate the scheme.

For a more comprehensive description of BEC schemes and additional BEC loss statistics, see Public Service Announcement (PSA) I-061416-PSA on www.ic3.gov.

Businesses need to protect themselves. Here are some steps to defend against a BEC attack:

  • Scrutinize all requests for wire transfers
  • Confirm wire transfer instructions with requester through alternate approved means: cell phone, land line, alternate email account.
  • Require multiple approval authorities
  • Question any deviation from regular business practice
  • Be suspicious of requests for secrecy and immediate action
  • Scrutinize emails for accuracy: investigate username and hostname in sender’s email
  • Create intrusion detection system rules that flag emails with extensions that are similar to company email extensions
  • Register all company domains that are slightly different than the actual company domain
  • Use discretion when posting to social media and company web sites

If a company has become a victim of a BEC scam it is imperative to act quickly. Here are some steps to take to mitigate the disaster:

  • Contact your financial institution immediately
  • Request that your financial institution contact the corresponding financial institution where the fraudulent transfer was sent
  • Contact your local FBI office. The FBI, working with the United States Department of Treasury Financial Crimes Enforcement Network (FinCEN), might be able to help return or freeze the funds
  • File a complaint, regardless of dollar loss, with www.bec.ic3.gov.

Cyber criminals are always evolving their attacks. This scheme is similar to a scam run against overseas banks using compromised SWIFT codes to initiate fraudulent wire transfers.


US businesses need to be on guard against cyber attacks. They need to properly educate employees in cybersecurity, and at the same time assess their company’s cyber risk.

If you are interested in learning more about phishing, cyber crimes, cybersecurity and how to create a resilient business, please contact us at: contact@layer8cybersecurity.com