Prepare to be shocked: there is a lot of crime on the internet. One of the most rapidly growing is Business Email Compromise (BEC). According to the FBI, relying only on complaints it received, BEC losses in 2022 alone totaled $2.4 billion. How much has this crime increased just since 2015? Abnormal Security created this helpful (though startling) graph.
Understanding How BEC Attacks Work
Business Email Compromise (BEC) is a type of scam that involves a criminal impersonating a legitimate party in an email to trick a company into transferring funds to a fraudulent account. A BEC scam begins when the perpetrator pretends to be one of the victim’s trusted contacts. Usually, the scammer poses as a vendor, a colleague, or even the victim’s boss to create an email account compromise. The sender, who is running the email threat to the account, asks the recipient for a wire transfer and changes the bank’s details for future payments.
Since business email account compromise attacks do not employ malware or hostile URLs, the normal lines of cyber defense do not pick up on the scam. BEC invasions make use of impersonation tactics that make their victims open up to them and give them the personal information they are trying to score. They will often incorporate what looks like a legitimate email account into the attack, making the scam more believable.
Social engineering can be an effective impersonation technique. They may use a known domain or fake a website so that they appear authentic to their intended victims. BEC attacks are challenging cybercrimes to investigate since they must be done manually.
Investigations can be arduous because of the nature of social engineering. Sensitive information is exchanged, including the following:
- Email account
- Bank accounts
- Wire transfer information
- Phone numbers
By garnering sensitive data through attorney impersonation, false gift cards, invoice schemes in which fake invoices are sent from a fake finance department, and fraudulent bank accounts, scam artists are able to gain access to personal data and are able to create a hard-to-stop and hard-to-catch crime because of these vulnerabilities.
Types of BEC Scams
BEC leans on social engineering to execute the scam; it does not require a lot of tools to work. These scams are easy to repeat and are not hard to access, so they have become a widespread cybercrime. There are a few BEC techniques that seem to be very fairly typical.
By recognizing what these scams include, you can educate yourself and your employees about what to expect and how to circumvent them.
Using Trusted Relationships as a Tool to Exploit
When you see a familiar person or entity in your email inbox, your first instinct may be to respond promptly. The attacker is counting on this, as your response is the portion of the scam that they are relying on. This type of exploitation happens in various ways.
They may pretend to be a work colleague that is sending a request for payroll details using CEO fraud. The email may look as if it is an invoice from a vendor. Or it could be a charity you support soliciting a donation.
Copying Your Normal Workflow
Many times, organizations have commonly used workflows that are often automated and executed via email. These often become rote after employees repeatedly do them. Cyber attackers realize that common workflow habits become mindless after a while, and they capitalize on this.
By replicating typical workflows that are used daily, BEC swindlers rely on victims acting without processing what they are actually doing, and giving them the information, they are after.
Workflow can be compromised in the following ways:
- Requests for password resets
- Feigning an attempt to share spreadsheets, files, or folders.
- Emails that appear to be sent from apps that are commonly used requesting access
While malware or ransomware is often avoided because it can be detected easily, BEC attacks use fake invoices and social engineering techniques to make the emails seem legitimate. By doing this, they act to lure their victims into the scheme.
The fishy attachments make the emails seem less like a scam, or that is their aim, at least.
Often BEC emails use subject headings that are overly familiar or that make the reader feel a sense of urgency that would lead them to take action quickly and without overthinking. They use keywords and phrases to do this in the subject of the emails.
Some common things you might encounter in BEC emails include the following:
- Overdue balances or payments
- Personal greetings, “Hi Mark!” or “Hey Hillary!”
- Offers of payments are a good way to get your attention in their minds
- “Immediate action required” creates a very real sense of urgency for many people
- “Important information” from your company’s CEO
By using tricky language to make what seem to be harmless requests, they can also find an inroad to your account information.
Cybercriminals sometimes use widely available software to make their BEC scams seem more credible. Because of the software, the emails are not flagged by the technologies that would usually grab bad links and domains.
Phishing emails, spoofed emails, and ransomware are all often used by attackers to gain the information they are trying to find. Even if an email looks genuine, the lesson is, it may not be. By utilizing widely used software, these scams can enter under the radar.
BEC Scam Example
Here’s how it works: ABC Company owes a vendor, Beta Corp, $100,000. ABC and Beta have done business together for years, so an invoice in this amount is not unusual. ABC Already has Beta’s banking information.
As ABC’s accounting department is preparing to wire the funds, Chris Jones, ABC’s accounts manager, receives an email from Pat Smith, Beta’s accounts manager. Again, not unusual – they communicate frequently. Pat’s email says there’s a problem with Beta’s main operating account at Worldwide Federal Bank, and Beta needs ABC to wire the funds instead to another of its accounts, this one at Global Federal Bank, and provides the account information.
Chris complies and sends a wire to Global Federal Bank “for the benefit of Beta Corp re: invoice number 6892” in the amount of $100,000.
Three weeks later, Chris gets a phone call from Pat asking why ABC has not yet paid. Chris responds that the money was sent as Pat requested – to Global Federal. But Pat made no such request, and Beta has no account at Global Federal. Chris pulls up the email from Pat and makes a crushing discovery: the email did not come from firstname.lastname@example.org, Pat’s actual email address. It came from email@example.com. The two are so similar you probably just compared them because you didn’t notice the difference. And anyway, Chris’s email system – probably Outlook – doesn’t display the address when emails arrive, it displays the name of the sender. Chris calls the FBI and is told to fill out a report at the Internet Crime Complaint Center (IC3). The FBI will investigate, but chances are by this time that money has been turned into crypto and sent halfway around the world to a country from which there is no escape. The odds of any of that money ever being recovered are as close to zero as possible.
ABC Company is not alone. According to the FBI, BEC is one of the fastest-growing, most financially damaging internet-enabled crimes. It is a major threat to the global economy. In 2021, the Internet Crime Complaint Center (IC3) received BEC-related complaints with claimed losses exceeding $2.4 billion. For context, the IC3 found yearly losses attributable to BEC actors were $360 million in the calendar year 2016. And $2.4 billion is just what was reported.
Legal Options After a BEC Scam
If hackers or scammers have perpetrated BEC fraud and other such cybercrimes against you or your business, these are the suggested actions you should immediately take:
- Notify your bank as soon as possible
- Contact your lawyer to advise you about your legal options
- Speak to law enforcement about cybercrimes
- The FBI has an Internet Crime Complaint Center that you should file a complaint with
- Inform management at your business or workplace
- The full extent of the scammer’s cybercrimes may become more evident once IT conducts a forensics investigation
- Reach out to your insurance company and detail what the hackers did and how you were scammed
- Schedule a consultation with an outside security specialist to determine the extent of what happened and how to prevent it from happening in the future
- If there were security policy violations, determine what they were and isolate them
- Consult with IT specialists about shoring up the security weaknesses that allowed for the hacking
These scams are prevalent and are hard to catch with average security measures. It is critical to your cybersecurity to initiate more defense levels to avoid these phishing scams altogether.
So, what does a company like ABC do? Chris made a mistake but wasn’t really at fault – his company, ABC, was the victim. What about Global Federal Bank? Doesn’t it have policies and procedures in place to make sure it isn’t providing banking services to criminals?
Banks May Be Liable in Business Email Compromise Attacks
Under the Uniform Commercial Code (UCC) and its state-specific variations, financial institutions may be held liable for “misdescribed” funds if they knew that the intended recipient did not match the name of the actual account holder. Several courts have held that receiving banks may be liable for their failure to confirm the intended recipient matched their customer:
- In Studco Bldg. Sys. U.S., LLC v. 1st Advantage Fed. Credit Union, 509 F. Supp. 3d 560, 568 (E.D. Va. 2020), the court found that “if the beneficiary’s bank knew about the conflict between the name and number and nevertheless paid processed the payment, then the bank could be in violation of” the relevant state version of the UCC.
- In 800 Columbia Project Co., LLC v. CMB Wing Lung Bank, Ltd., No. 821CV00278JLSADS, 2022 WL 17884221, at *7 (C.D. Cal. Sept. 19, 2022), the district court ruled that “banks must bear the loss for unauthorized orders unless those orders are verified in good faith pursuant to a commercially reasonable security procedure to which the bank and its customer agreed.”
- And in Sunset Cmty. Health Ctr., Inc. v. Capital One Fin. Corp., No. CV 22-1822 (JRT/LIB), 2023 WL 359674, at *5 (D. Minn. Jan. 23, 2023), citing the UCC, the court held that “a beneficiary’s bank cannot accept a payment order if the payment order misdescribes the beneficiary.”
If somebody tricked you into sending money to a bank that should have caught it, report it to the FBI – and let us know. Contact the Houston commercial litigation attorneys at Berg Plummer Johnson & Raval, LLP to discuss your case.