Business Email Compromise is a sophisticated scam targeting businesses working
with foreign suppliers and/or businesses that regularly perform wire transfer
payments. The fraudulent wire transfer payments sent to foreign banks may be
transferred several times but are quickly dispersed. Asian banks, located in
China and Hong Kong, are the most commonly reported destination for these
fraudulent transfers, however, bank accounts located across the globe are being
actively exchanged on criminal forums.
prevalence of Business Email Compromise’s is increasing globally, and most
scams are conceived and carried out by experienced groups of criminals located
outside of the United States. The Business Email Compromise is executed in
technical or non-technical fashion, and may be as simple as spoofing an
organization’s email address, to pose as a senior executive sending a request
for funds to be transferred to an external entity. The scam generally
corresponds with key personnel being absent from the office, and the scam
targets lower or mid-level management of an organization.
are successful in not only scamming organizations to transfer funds to their
overseas bank accounts, but also in withdrawing the funds successfully. Funds
are generally withdrawn by the criminals before victim organizations are
witting that they have fallen victim to fraud. Additionally, in many instances,
funds are dispersed among various overseas accounts to mask the identity of
the perpetrators, and to make it increasingly difficult for the funds to be
Global bank accounts are exchanged on dark web criminal
forums, likely set up solely to funnel money via fraudulent wires. Recipients
of these accounts are not aware of where the funds are coming from, or who
supplied the account.
The example below is an exchange on a dark web criminal
previous cases, review of email headers for emails used to perpetrate a spoof,
are routed through overseas mail servers, making original Internet Protocols
(IP) difficult to trace. Time stamps located in the header information of the emails
lend to the possibility that emails primarily originate from Western Europe,
Eastern Europe, Western Russia or the Middle East. However, the lack of
information to corroborate this theory does not support an attack originating
in those regions.
or update the sender policy framework (SPF). The SPF allows domain owners to
publish a list of IP addresses that are authorized to send email on their
behalf. An adequately updated SPF will make it difficult for malicious senders
to disguise their identity, reducing the amount of spam and fraud. Use of
DomainKeys or DKIM also are protective measures that work to make email forging
security awareness training should be delivered bi-annually at a minimum to all
employees, contractors, and partners. All industries share one principle
digital security threat, which is the malicious or ignorant insider.
Professional hackers do not target the system, they target the person.
"out-of-office” auto-reply emails to external domains. Scammers looking to
exploit organizations with a business email compromise will often send emails
targeting specific personnel and organizational business units specifically
seeking out-of-office replies. The malicious actors will then spoof the email
of the individual who is away, further establishing legitimacy in the scam.
media foot printing of your organization and employees, and conduct penetration
testing of networks and facilities to determine vulnerabilities. Then heed
signatures in email communication. Similar in concept to hand-written
signatures, digital signatures offer additional security through encryption. A
digital signature is an encrypted hash that assures the recipient of the
authenticity, integrity and non-repudiation of the message.
Do not conduct
official business with personal email addresses. Webmail services such as
Gmail, Hotmail, and Yahoo mail are easily exploited and spoofed. A malicious
actor could easily infiltrate personal email to obtain corporate proprietary
data, as well as key personal information to assist in perpetrating fraud.
Additionally, if personal devices are authorized for business use, ensure that
comprehensive mobile device management (MDM) procedures are in place.
The listed defensive
measures will provide added protection against the Business Email Compromise,
but criminals continue to craft more sophisticated scams in an effort to bypass
organizational controls. Ensure that your organization has a battle-tested
incident response plan and business continuity guidelines in place prior to
becoming a victim to a Business Email Compromise.