Companies still being caught out by Business Email Compromise scams

A couple of weeks ago Connecticut-based charity Save the Children Foundation reported that it was targeted in a $1 million phishing scam that took place in May 2017.

Having managed to access a staff email account, hackers posed as an employee and sent fake invoices relating to payments for solar panels for health centres in Pakistan. Successfully duping the recipient of the email, the cyber criminals were then able to transfer the money to a fraudulent account based in Japan.

This was a typical example of a Business Email Compromise (BEC) and it serves as a useful reminder for companies, particularly those that have commercial or charitable interests in other countries.

Save the Children Foundation was lucky: even though it was too late to stop the transfer of funds, all but $112,000 of the financial losses were eventually recovered via insurance.

In details of another case reported in November this year, the possible fall-out from such a scam was well illustrated when court papers were published showing that the Dutch branch of the Pathe cinema group, Pathe Nederland (NL), lost some €19 million in a BEC that cost both the CEO and the financial director their jobs.

The documents, which covered an unfair dismissal case brought by Edwin Slutter, the sacked finance chief, showed in great detail the way in which the thieves were able to scam the company. On 8 March, Dertje Meijer, the former Pathe NL CEO, received an email purportedly from his French counterpart. According to this, the French arm of Pathe was involved in a takeover in Dubai for which an initial confidential payment of €826,521 was required to secure the deal. No one else was to be informed of the transfer, "in order to give us an advantage over our competitors". Despite finding the message odd – Meijer forwarded the email to Slutter with the comment "strange don’t you think?" – the CEO approved the transaction and the money was paid into a bank account operated by Towering Stars General Trading LLC in Dubai.

On 13 March, a second payment of €2,479,563 was made to the same account, followed by a third, and then a fourth. By 27 March, Pathe NL had paid €19,244,304. On 29 March, the Pathe headquarters in Paris began asking questions, and it quickly became apparent that both Meijer and Slutter had been the victims of a massive BEC fraud, and they were sacked.

Another well-publicised case happened in 2017, when MacEwan University in Canada was targeted in a BEC, resulting in the fraudulent transfer of $9.5m after staff received a series of convincing emails instructing them to wire funds. Fortunately, most of the money was recovered in this case.

In the same year Southern Oregon University also reported that it had fallen victim to the scam, when staff were tricked into paying $1.9 million into a bank account which they believed belonged to Anderson Construction, a company that had recently built a pavilion and student recreation centre for the University.

And a New York supreme court judge lost over a million dollars: she was purchasing a new house and the transaction was being handled via her lawyer. An attacker sent an email posing as the lawyer which requested $1,057,500 to be transferred. The funds were immediately sent to a fraudulent account handled by the Commerce Bank of China.

A typical BEC will involve a cyber criminal using social engineering techniques to hack into or spoof a top executive’s email address – perhaps the CEO or the Chief Financial Officer. If successful, they will send a request from the breached account to an employee with an urgent order to transfer funds immediately to a bank account operated by the fraudsters.

Other related methods may see the employee being advised of a problem with a payment and instructed to resubmit it – obviously to a different account controlled by the criminals. Attackers might also search through a compromised email account for information on an outstanding invoice, which they will then reproduce with their own banking details substituted for the genuine ones.

In the last few months yet another variation on the BEC scam has been noted. This was highlighted in October 2018, when the FBI issued a new alert. The agency said their Internet Crime Complaint Center (IC3) had received an increasing number of complaints about BECs requesting that victims purchase multiple gift cards, perhaps for a work-related function or for some other business reason. Criminals profiting from this scam may use these cards to purchase goods or services, or they may sell them on the Darknet. We have seen Amazon gift cards, for example, being offered at half their face value.

The IC3 listed a variety of sectors that had been targeted in this latest variation on the BEC scam. They included technology, real estate, legal, medical, distribution and supply, and religious organisations.

We picked up an example of this ‘gift card’ scam in November, when fraudsters were attempting to cash in on the wildfires in California. Claiming to be the CEO of a company, the senders of the malicious emails informed employees that clients had been affected by the wildfires and that financial assistance must be given.

Rather than asking for money, as in the typical BEC, the email requested that the employee buy some Google Play gift cards, reveal the redemption codes, and then send them back to the attacker. If these codes are received by the malicious actors behind the scam, they can be transferred into other currencies on underground markets or online forums.

The text for one of the scam emails read as follows:

Hi, I will need you to get this done for me ASAP.Please get me the Google Play gift cards. $500 denomination, I need $500 x 4 cards. We have some few clients caught up in the California wildfire disaster. I urgently need to send gift assistance. Do you think there is a store nearby you can get those? If Yes, get that done. Just scratch out the back to reveal the card codes, and email me the codes. How soon can you get that done? Its Urgent.

It may seem unlikely that company staff would be fooled by such a badly written email, but at busy times they may not stop to think and may simply carry out what they believe to be a genuine request from the boss.

However, that is really no excuse. No company should be caught out by a BEC scam if a few basic cyber security measures are properly adhered to.

For example, requests for financial transfers or payments of invoices should not be sent over email. Employees should be required to confirm all details face-to-face where possible, or at the very minimum over the phone between people who know each other well.

Multi-factor authentication is another precaution that should always be taken: this will make it much more difficult for a fraudster to compromise or spoof an email account.

And finally, as ever, employees at all levels in your organisation must be given regular, up-to-date advice on cyber security issues, particularly on avoiding phishing attacks.

These simple yet effective measures should ensure that your company does not fall victim to the type of scam outlined above.