Are you at risk from business email compromise?

Are you at risk from business email compromise?
Rick Holland
Read More From Rick Holland
June 6, 2016 | 3 Min Read

Business email compromises (BEC) are on the rise. When I was at Forrester Research, I typically didn’t go more than one month without consulting with organizations that had fallen prey to the attack. In an August 2015 alert, the FBI defined the BEC as “a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.”

The FBI’s alert revealed that from just October 2013 – August 2015, international law enforcement agencies reported BEC losses in excess of a staggering $1.2 billion.  See figure 1.

BEC Statistics

In late May, the seventeen year CEO of Austrian aircraft parts manufacturer FACC, was fired after a BEC attack resulted in the loss of ~€50 million.  His termination followed the CFO’s exit, which occurred in February. The attack was first revealed in FACC’s Interim Report Q3 2015/2016.   See figure 2.

Disclosure

In FACC’s recently released annual report, interim CEO Robert Machtlinger wrote “in January 2016, the ‘Fake President Incident’ affair became public, to which FACC fell victim over Christmas and suddenly the world looked different for us.”  FACC’s BEC was significant; the company’s 2015 profits were erased as a result of the fraud.

The specifics of FACC’s BEC incident aren’t public, so I won’t speculate as to how the social engineering efforts occurred.  We do know that in other BECs travel has been involved.  The FBI provided the following example where an accountant received an email from her CEO, who was on vacation, out of the country requesting a transfer of funds.  See figure 3.

requestfromceo

There are many questions to ask when it comes to preventing, detecting and responded to BECs.  One that stands out in my mind is how vulnerable are your executives? How likely will they be targeted? What public information is available that could be used to fuel a social engineering attack against your company?

A combination of people, process and technology is required to mitigate the BEC. I suggest you consider the following actions:

  • Update your security awareness training content to include the BEC scenario.  This should be included in new hire training, but you should conduct ad hoc training for this scenario now.
  • Just as you have built ransomware and destructive malware (think Saudi Aramco or Sony Pictures) into your incident response/business continuity planning; you need to build BEC into your contingency plans.
  • Conduct ongoing assessments of your executive’s digital footprints. You can start with using Google Alerts to track new web content related to them.
  • Work with your wire transfer application vendors to build in multiple person authorizations to approve significant wire transfers. You are looking for your Crimson Tide scenario; you need both Denzel Washington AND Gene Hackman to approve wires for more than x amount of dollars.
  • Formalize an Operations Security (OPSEC) program. You can download our latest white paper to learn about the five steps you can take to mature your OPSEC capabilities.

Access Our Threat Intel In Test Drive

Test Drive SearchLight Free for 7 Days
Try It Now

Connect with us

Tags:

Related Posts

Digital Risk Reporting Best Practices: Top 10 Ways to Build Killer Reports in SearchLight

Digital Risk Reporting Best Practices: Top 10 Ways to Build Killer Reports in SearchLight

June 30, 2020 | 4 Min Read

We all have those days or that time of the...
Multiple vs. Exclusive Sales on the Dark Web: What’s in a sale?

Multiple vs. Exclusive Sales on the Dark Web: What’s in a sale?

June 29, 2020 | 9 Min Read

When going out on a shopping spree, you would...
Introducing Nulledflix – Nulled forum’s own streaming service

Introducing Nulledflix – Nulled forum’s own streaming service

June 23, 2020 | 8 Min Read

Lockdowns implemented during the COVID-19...
Torigon Forum: A sad case of all show and no go

Torigon Forum: A sad case of all show and no go

June 23, 2020 | 11 Min Read

When we review the ideal template for a...