Business email compromises (BEC) are on the rise. When I was at Forrester Research, I typically didn’t go more than one month without consulting with organizations that had fallen prey to the attack. In an August 2015 alert, the FBI defined the BEC as “a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.”
The FBI’s alert revealed that from just October 2013 – August 2015, international law enforcement agencies reported BEC losses in excess of a staggering $1.2 billion. See figure 1.
In late May, the seventeen year CEO of Austrian aircraft parts manufacturer FACC, was fired after a BEC attack resulted in the loss of ~€50 million. His termination followed the CFO’s exit, which occurred in February. The attack was first revealed in FACC’s Interim Report Q3 2015/2016. See figure 2.
In FACC’s recently released annual report, interim CEO Robert Machtlinger wrote “in January 2016, the ‘Fake President Incident’ affair became public, to which FACC fell victim over Christmas and suddenly the world looked different for us.” FACC’s BEC was significant; the company’s 2015 profits were erased as a result of the fraud.
The specifics of FACC’s BEC incident aren’t public, so I won’t speculate as to how the social engineering efforts occurred. We do know that in other BECs travel has been involved. The FBI provided the following example where an accountant received an email from her CEO, who was on vacation, out of the country requesting a transfer of funds. See figure 3.
There are many questions to ask when it comes to preventing, detecting and responded to BECs. One that stands out in my mind is how vulnerable are your executives? How likely will they be targeted? What public information is available that could be used to fuel a social engineering attack against your company?
A combination of people, process and technology is required to mitigate the BEC. I suggest you consider the following actions:
- Update your security awareness training content to include the BEC scenario. This should be included in new hire training, but you should conduct ad hoc training for this scenario now.
- Just as you have built ransomware and destructive malware (think Saudi Aramco or Sony Pictures) into your incident response/business continuity planning; you need to build BEC into your contingency plans.
- Conduct ongoing assessments of your executive’s digital footprints. You can start with using Google Alerts to track new web content related to them.
- Work with your wire transfer application vendors to build in multiple person authorizations to approve significant wire transfers. You are looking for your Crimson Tide scenario; you need both Denzel Washington AND Gene Hackman to approve wires for more than x amount of dollars.
- Formalize an Operations Security (OPSEC) program. You can download our latest white paper to learn about the five steps you can take to mature your OPSEC capabilities.