While spam email is annoying and inconvenient, the average person might not consider it dangerous or malicious on a broad scale. But a recent warning from the FBI on the dangers of what it calls “business e-mail compromise (BEC)” might get people to think twice about what comes across their desks or shows up in their inboxes, since in the past 22 months these email scams have cost the global economy an estimated $1.2 billion.
When looking at the U.S. alone, the agency puts the exposed dollar loss at $747,659,840.63 — affecting more than 7,000 victims.
In his assessment of the FBI’s findings, security expert Brian Krebs points out that BEC, which he refers to as “CEO fraud,” strategically targets a business’ leadership and hijacks their account. Because they’re targeting the CEO and company leadership, the fraudsters don’t follow the same mass-mailing tactics that most phishing email scams do.
Unlike traditional phishing scams, spoofed emails used in CEO fraud schemes are unlikely to set off spam traps, because these are targeted phishing scams that are not mass e-mailed. Also, the crooks behind them take the time to understand the target organization’s relationships, activities, interests and travel and/or purchasing plans.
They do this by scraping employee email addresses and other information from the target’s Web site to help make the missives more convincing. In the case where executives or employees have their inboxes compromised by the thieves, the crooks will scour the victim’s email correspondence for certain words that might reveal whether the company routinely deals with wire transfers — searching for messages with key words like “invoice,” “deposit” and “president.”
It’s not hard to see how emails that look like they come from “the boss” might go through far less scrutiny than the average email. By leveraging the weight and influence that comes with instructions or directions from a company executive, these scammers know and count on the fact that most workers who receive an email from their boss will most likely not question a request being made. If you’re interested in helping your business defend against these CEO fraud emails, the FBI recommends taking the following steps:
Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail. For example, legitimate e-mail of abc_company.com would flag fraudulent e-mail of abc-company.com.
Register all company domains that are slightly different than the actual company domain.
Verify changes in vendor payment location by adding additional two-factor authentication such as having a secondary sign-off by company personnel.
Confirm requests for transfers of funds. When using phone verification as part of the two-factor authentication, use previously known numbers, not the numbers provided in the e-mail request.
Know the habits of your customers, including the details of, reasons behind, and amount of payments.
Carefully scrutinize all e-mail requests for transfer of funds to determine if the requests are out of the ordinary.