March 23, 2020 – Business email compromise (BEC) fraud is an increasingly common cyber risk that uses spear phishing techniques. BEC fraud often results in significant losses due to wire transfer scams. These rogues use social engineering methods to launch a doppelganger campaign most of the time impersonating the CEO or another executive of the targeted organization to give their delivered instruction legitimacy. Education is key for any organization that wants to combat BEC frauds.
Business email compromise (BEC) fraud is an increasingly common cyber risk. This kind of fraud that uses spear phishing was the number one on the Canadian Anti-Fraud Centre’s (CAFC) list of frauds affecting Canadians ranked by dollar loss. That means no other fraud tactic was as profitable for fraudsters as spear phishing in 2019 with a total loss of $21,404,827.08.
Read more: CAFC’s list of top frauds in 2019
Business email compromise (BEC) fraud
BEC fraud can result in significant losses and liabilities for targeted organizations. It is also known as email compromise fraud, or email account compromise fraud. This kind of mostly CEO fraud or Whaling often results in wire transfer fraud.
Scammers use phishing methods and pretend to be from a legitimate source in order to convince business employees to transfer money to their accounts instead of the account of the intended payment recipient. They send emails that appear to be from existing businesses or people who have some kind of relationship with the organization.
One technique that appears to be increasingly employed as part of wire transfer frauds involves making use of a ‘doppelganger domain name’ to make the email sent by threat actors appear to come from a reliable source.
Often, the sender’s address appears to be the actual email address of the source they are pretending to be, a tactic known as spoofing. Variations are the business executive spoofs, financial industry client spoof, head office spoof, payroll spoof, or the supplier swindle.
A doppelganger domain name is a legally registered domain name that has been created by threat actors because it appears to be almost identical to the legitimate domain name of a targeted organization. To achieve this illusion these frauds often involve sophisticated social engineering techniques. By making fraudulent emails appear authentic – like a doppelganger – fraudsters swindle organizations into initiating wire transfers.
Especially CEO fraud is an increasing security threat for businesses. It means that the scammer spoofed the email address of the head of the company or another powerful executive of the organization.
These scams come in many different forms. But those emails always contain an urgent call for action addressed to the employee who receives the bogus email. By taking this action the employee is asked to solve a problem or relieve pressure from the CEO.
Companies with international business dealings are more likely to be targeted since transfers to overseas banks are commonplace. Large or mid-sized companies are also frequently targeted, due to these companies often having a high volume of invoicing activity between large numbers of resellers or distributors.
‘Shark Tank’ judge’s bookkeeper tricked into transferring money to a fraudulent account
A prominent example of a wire transfer scam or spear phishing fraud is the swindle in which ‘Shark Tank’ judge Barbara Corcoran temporarily lost almost US$400,000. CNN reported that a fraudster tricked her bookkeeper into wiring $388,700 to a bank account which was controlled by the rogue. The email he received looked like it came from Corcoran’s assistant and asked for a payment for a renovation.
The good news is, Corcoran got her money back. The German-based bank the bookkeeper used to wire the funds froze the transfer before it was deposited into the scammer’s bank account in China.
City of Saskatoon became victim of an email spoofing scheme
But not all frauds come to such a satisfying end. A lot of BEC frauds result in disputes over which of the affected parties must bear the financial loss or if the recipients of the fraudulent money have to pay back the funds in connection with fraud schemes where the fraudsters used foreign money exchanges to launder the proceeds of fraud such in the case of the City of Saskatoon last summer.
Read more: City of Saskatoon became victim of identity fraud scheme and lost over $1M
The City of Saskatoon has paid $1.04 million to a fraudster after falling for an email spoofing scheme. A fraudster contacted the city via email impersonating the chief financial officer of a local construction company with whom the city has contracts with. In the email, he asked to change the company’s banking information. A request the city complied with without performing any further verification from the business partner. As a result, the next regular payment, over $1.04 million, which was intended for the construction company went straight to the fraudster’s account.
In this case, the city could recover all of the stolen funds after an Ontario court froze the proceeds of fraud and granted the City’s motion to recover the funds from the recipients who were customers or alleged customers of the money exchange businesses who fraudulently received the City’s funds in the first place.
Read more: City of Saskatoon awaits Ontario court decision on recovery of fraudulently stolen funds
Combating BEC fraud is a company-wide effort
The Competition Bureau and the Canadian Centre for Cyber Security assembled guidelines for proactive measures to help organizations to avoid being victimized by email compromise fraud as well as suggested actions that organizations should follow in case of fraudulent wire transfer actions.
In any case, education of the employees of a business is the best defense and key in avoiding fraudulent phishing attempts or other cyber risks. Employees who handle payments and wire transfers, as well as CEOs, should undergo specific training about the current trends of email wire fraud and the organization’s security structure to avoid them. In the end, combating BEC fraud is a company-wide effort.