If you were about to spend more than a million dollars, how careful would you be about where you sent the money?
More importantly, how would you check with the recipient of the money – and how would they check with you – that both ends of the transaction were lined up correctly, with no treachery in between?
It’s quite likely you’d have been emailing them back and forth for some time, negotiating the deal, agreeing terms and finalising payment…
…and therefore it’s quite likely that you’d email each other one last time before it all went through.
And if there were a last-minute change in payment details, you might be really relieved to hear about that, especially if the deal were time-critical, like a house purchase, a stock offer…
…or a £1,000,000 payment as part of a player transfer in the English Premier League – the richest soccer competition in the world, and the most-watched sports franchise on the planet. (Probably, although NFL, NHL, MLB and IPL fans may wish to disagree.)
After all, transfer windows are short, and transfer negotiations are complicated, so a payment that failed to go through at the last step could ruin a deal that had been months in the offing.
Well, according to a report entitled The Cyber Threat to Sports Organisations, released today by the UK’s National Cyber Security Centre, that almost happened, except that the new account number was fraudulent and rather than saving the deal at the last minute, the club would have lost the lot.
Apparently, one of the UK’s top football clubs – the report doesn’t say which one – almost paid out £1m ($1.25m) to crooks after a genuine-looking but fraudulent email convinced the club to nominate a new account to receive the funds.
Fortunately, the club’s bank flagged the transaction as suspicious, provoking further investigation and uncovering the scam.
As you can probably guess, that scam was what’s known as BEC, short for business email compromise.
BEC is something of a special category in the world of online crime – in fact, it’s probably better to refer to it as ‘internet-enabled crime’ than simply as cybercrime.
The criminals behind it don’t have to be programming wizards or malware authors; they don’t need elite hacking or exploit creating skills; and they don’t need the know-how to carry out network intrusions, lateral movements and so on.
What they do have is patience, persistence, self-belief and what you might call sociopathic-level skills in social engineering.
In old-school terminology, you’d call them confidence tricksters, though they are generally using the internet to manipulate victims, not their in-person charisma.
The basic idea behind BEC crime is surprisingly simple: get hold of the email password of someone of importance in the organisation, read all their email before they do, learn how they operate, find out what the company is up to and learn when big payments are coming up, in or out…
…and then take on the persona of the employee whose email was compromised in order to misdirect other employees, as well as creditors and debtors.
Thus the name business mail compromise, sometimes called CEO fraud or CFO fraud because those are the staff members whose email accounts typically deliver the most dramatic results for the crooks.
We try to avoid the terms CEO fraud and CFO fraud these days because those names wrongly imply that BEC depends specifically on the CEO or CFO getting hacked, and therefore if their accounts are intact, the company is safe. Many organisations don’t even use the job titles CEO and CFO, yet they too are at risk of exactly this sort of fraud.
As you can imagine, the typical corporate manipulation performed by BEC crooks is to get debtors to pay outstanding invoices into “new” bank accounts that belong to the criminal gang, or to instruct staff inside the company to pay outgoing invoices to phoney accounts instead of to genuine creditors, thus stealing money from both sides of the balance sheet.
BEC criminals use technology to help them misdirect humans, and once they have their operation running inside a company, they aim to keep the misdirection going for as long as possible by mixing social engineering skills with their insider knowledge.
If a crook is inside your email, remember that they can not only send emails in your name, they can also: delete those emails from your outbox so you don’t even see they were sent; intercept and remove or modify any replies from colleagues who become suspicious and ask questions; mollify others in the company who are trying to raise the alarm; and threaten those who try to get in the way.
What to do?
Of course, this raises the tricky question, “If a crook has already snuck in, got into someone’s email, and is lying low looking for a chance to swindle the whole company, how on earth do you spot the fake emails that shouldn’t be there amongst all the real ones that are still flowing normally?”
Here are six tips to help you detect and prevent this sort of corporate manipulation:
- Turn on two-factor authentication (2FA) so that a password alone is not enough to access your accounts, especially email. Remember that your email account is probably the key to resetting passwords on many of your other accounts, including ones you use at work and at home.
- Look for features in your service providers’ products that can warn you when anomalies occur. Access monitoring tools help to detect logins that come from unusual places, or network activity that doesn’t fit your usual pattern. This can help you flush out crooks who have wriggled into your network or your email account. Talk to your bank about how they can add another layer of scam detection, too.
- Enforce a two-step (or more) process for making significant changes to accounts or service, especially changes in details for outgoing payments. Don’t just rely on simple “manager approval” click-throughs – implement independent checks by different teams, working in separate departments, looking for different indicators of scamminess.
- If you see anything that doesn’t look right in an email demanding your attention, assume you are being targeted. Crooks who try to impersonate your CEO or CFO might not make any mistakes, but often they do. Don’t let the crooks get away with slip-ups such as spelling mistakes or unlikely errors that ought to give them away. As carpenters like to say, “Measure twice, cut once.”
- If you want to check details with another company based on an email, especially when money is involved, never rely on contact data provided in the email. Find your own way to get hold of the other party using a different form of communication, for example using a phone number on printed documents that you already have.
- Consider using internal training tools to teach your staff about scams. In the football club case above, the crooks phished the CEO’s password using a fake Office 365 login page. Tools such as Sophos Phish Threat can test staff behaviour safely so that they can make their mistakes when it doesn’t actually matter, rather than when the crooks come calling.
By the way, if you’re wondering how much money is involved in BEC criminality, take a look at the story behind the recent arrest of an alleged BEC scammer in the USA who went by the name “Hushpuppi.”
Don’t let it happen to you!
Beratung Consulting are dedicated to Security solutions and are a trusted Sophos Partner.
