Business email compromise guide

Business email compromise is a worrying trend that can end up defrauding companies of millions. In essence, it involves cybercriminals manipulating employees into transferring money to their account.

From creating fake invoices to taking over the email accounts of CEOs, hackers can use business email compromise attacks to enrich themselves, all at a high cost to unsuspecting businesses.

It’s surprisingly easy for employees to be swept up in business email compromise scams, which makes it important for companies to stay abreast of the issue and implement policies, tools and training that minimize the risks.

This guide covers what business email compromise actually is, show some examples of previous attacks, and also give advice on how organizations can minimize the risks of business email compromise.

What is business email compromise?

The concept behind these attacks is relatively simple: use email to trick companies into wiring money where it isn’t supposed to go – the fraudsters account. Business email compromise scams tend to be aimed at high-level employees, or those who are in charge of transferring funds.

Cybercriminals have a range of different approaches up their sleeves:

  • Phishing – Hackers may trick employees into divulging their login credentials or other details. This information allows them to hijack their target’s email account, and then use it to send messages. When an account has been taken over by a hacker, it can be extremely difficult for the message recipients to know that the emails they are receiving are fraudulent.
  • Keyloggers – If phishing is unsuccessful, attackers may attempt to manipulate their unwitting victims into downloading malware such as a keylogger, which can help them find out the user’s password. They then use it to take over the victim’s account and send out emails, just like with phishing.
  • Email spoofing – If hijacking the target’s account isn’t possible, or attackers want a more simplistic approach, they may just pretend to be their target instead. They can set up an email address that looks almost the same (think mark@blandcorp.com vs mark@bandcorp.com). In a more sophisticated trick, they can even make an email look as though it was sent from the correct address by altering the P2 header. If the recipient isn’t paying much attention, the deception can easily slip by. Coupled with company branding and a similar writing style, this maneuver can be incredibly convincing.

It doesn’t matter if the hacker is actually in control of the target’s email account, or if they are just pretending to be – either way, they have several different options to begin their business email compromise spree:

CEO fraud

If the attacker has taken over the account of a CEO or another high-ranking individual (or has created an account that looks like them), they can leverage this to manipulating other employees into making fraudulent transfers.

These requests will often target those in the finance department, and they may emphasize the CEO’s authority and the need to act immediately to trick the employee into making the transfer without thinking, even if it means going against protocol.

A decent CEO fraud attempt might look like the following:

Hey Andrew,

I hope you’ve got a moment. There’s been a pretty major screw up and I need you to help me fix it. We were supposed to put down a $100,000 deposit with our new concrete supplier last week, but it somehow got skipped over in all the mess. Anyway, we need that money sent out now, otherwise they won’t be able to meet our deadline, and the whole project will be scrapped.

I need you to transfer $100,000 to the account shown in the attached invoice ASAP. We’ve got millions riding on this, so the company really needs you to get it together.

Anyway, I’ve got meetings the rest of the day trying to sort out this huge debacle, so I probably won’t be in contact. Just get it done, okay!

Denise Reeves,

Chief Executive Officer

Bland Corporation

If the fraudster has done their research on the company, its current projects and the individuals involved, such an email could seem totally legitimate to Andrew.

Once Andrew believes the email is from the CEO, he is under tremendous pressure to wire the money. Even if there are procedures in place to prevent these types of transactions, the message urges him to do it as soon as possible – after all, millions are at stake.

On top of urgency, the CEO has come up with an excuse as to why they won’t be in contact – this means that Andrew can’t even ask questions or confirm the order. Even if this isn’t the kind of transfer that Andrew would normally make, the intensity of the circumstances could lead him to skirt the rules – and end up transferring $100,000 right into the wily thief’s account.

These scams can be accomplished in a single email, or more sophisticated attackers may take a longer exchange to slowly build a convincing trap that ensnares their victim. No matter the approach, if the victim falls for it, the result is the same – the company’s money gets wired to the scammer.

In a related scheme, the attacker can also pretend to be a lawyer and demand the employee send money or information regarding critical and confidential matters. Once again, they generally use pressure and make the matter seem urgent, in the hope that the employee will fall victim to the scam.

Fake invoices

Another technique involves either taking over the email account of a vendor’s employee, or simply pretending to be them. Attackers can then use this position to send out invoices to their target company and hope that they get paid before anyone investigates thoroughly.

Cybercriminals may send out completely fake invoices, or they may take their time to divert a legitimate payment. In the latter case, they tend to find out about an invoice that actually needs to be paid, and then come up with a ruse to get the target company to change the account number from the vendor to their own account.

The target then sends off the money to the account, thinking that its vendor has simply updated its account details. Instead, the payment is whisked off into the attacker’s hands, and the target still owes the vendor money for the invoice.

Sometimes these attacks can be as brazen as opening a business with a similar sounding name to one of the target company’s actual suppliers. The hackers then proceed to send out invoices and hope that no one notices the blatant deception.

In many of these fake invoice schemes, the cybercriminals pretend to be foreign companies, because international transfers make it easier to hide the money before the target or the authorities can stop it. They generally send the money through a global chain of accounts in an attempt to obscure their tracks from investigators.

Data theft

Another business email scam uses the same techniques, but doesn’t seek out money directly. Hackers can hijack or impersonate the account of a high-ranking figure, much like in CEO fraud, and then target the HR department or other key data holders into sending them information from valuable databases.

The attackers can use similar pressures to manipulate their victims into transferring the data without thinking. Once the data ends up in the hacker’s hands, they can then either use it to mount further cybercrimes, or sell it online. These thefts often result in major data breaches for the affected companies, causing them large financial losses, business disruption and negative publicity.

The growing threat of business email compromise

The FBI Internet Crime Complaint Center’s 2018 Internet Crime Report showed that the organization received 20,373 business email compromise or email account compromise complaints that year. All up, these complaints resulted in estimated losses of almost $1.3 billion.

Although the figures include regular email account compromises, it’s also important to acknowledge that these are only the reported complaints – it’s possible a significantly greater number of business email compromise victims never filed a complaint with the FBI.

These attacks are increasing rapidly – the 2017 Internet Crime Report only mentioned 15,690 complaints that equated to losses of $675 million. That’s a numerical increase of over 27 percent, with financial losses almost doubling, all in just one year.

Examples of business email compromise

With the rapid rise of business email compromise attacks, there are a wide range of recent examples. Some of the biggest and most devastating incidents include:

$100 million business email compromise scam against Google and Facebook

The likes of Google and Facebook aren’t exactly high on anyone’s sympathy list, but in 2013 and 2015, respectively, each company fell victim to a multi-million dollar business email compromise scam.

At the start of 2019, a Lithuanian man named Evaldas Rimasauskas pleaded guilty to one count of wire fraud for his role in scamming $23 million from Google in 2013 and almost $100 million from Facebook in 2015.

How did he do it? In a scheme that’s both impressive in its simplicity and shocking that it actually worked, Rimasauskas and his co-conspirators set up a Latvian company with a similar name to Quanta Computer, a Taiwanese hardware manufacturer that has worked with both of the tech giants.

The Latvian impostor-company then invoiced Facebook and Google. Alongside sophisticated phishing emails and other nefarious techniques, the cybercriminals managed to trick key personnel into wiring millions of dollars into accounts controlled by the gang.

The money was hastily transferred through a series of other global bank accounts, with forged documents used to transfer the funds without raising suspicion.

This web made it difficult for the authorities to trace and reverse the transactions, although both Facebook and Google claim to have recovered the bulk of the money soon after the incidents. However, these statements seem to conflict with evidence in the court documents, which show that Rimasauskas has agreed to return $50 million in stolen funds.

Californian tech company fleeced of $47 million

In another incident of business email compromise, Ubiquiti Networks lost millions to scammers in 2015. According to an SEC filing, “The incident involved employee impersonation and fraudulent requests from an outside entity targeting the Company’s finance department.”

While the above statement isn’t exactly clear, it’s possible that the attack involved a cybercriminal spoofing an employee’s email account and sending messages that appeared to be legitimate requests from the employee. Alternatively, they may have used phishing or other techniques to hijack the account.

We may not know the precise details, but we do know that the attacker used fraud and manipulation to mislead the finance department, resulting in the company making transfers that totaled $47.6 million to foreign accounts.

Once Ubiquiti became aware of the fraud, it began investigating and attempted to recover the money. The company was able to claw back $8.1 million soon after the attack, but it is not clear whether it succeeded in returning more of the funds.

Operation reWired

On the 10th of September, the US Department of Justice announced that 281 people had been arrested across the globe for their involvement in business email compromise scams. The busts were a result of Operation reWired, an effort that the Department of Justice led, alongside the Department of Homeland Security, the Department of the Treasury, the Postal Inspection Service and the Department of State.

Operation reWired targeted those involved in business email compromise stings, and ended up arresting 167 people in Nigeria, 74 in the US, 18 in Turkey, 15 in Ghana, as well as others from a range of countries. The combined efforts of the agencies also managed to seize almost $3.7 million in stolen funds.

Among those arrested were Brittney Stokes and Kenneth Ninalowo. The US residents are accused of defrauding an energy company and a community college out of $5 million through a business email compromise scheme.

Several other US residents were arrested for their alleged parts in a Nigeria-based business email compromise scheme that targeted hundreds of Americans, resulting in losses of more than $10 million. The arrests covered numerous other instances where hundreds of thousands or millions were stolen through these scams.

How to defend against business email compromise

The threat of business email compromise is growing rapidly, but the good news is that there are a range of different approaches to reduce the risks. The first step is to limit how these attacks can be initiated. Because attackers use a range of techniques to launch business email compromise scams, a wide variety of defensive mechanisms need to be implemented in order to keep organizations secure.

Phishing training and awareness

Phishing is one of the most common modes of entry for business email compromise attacks, so employees need to be trained to recognize and deal with it appropriately. Humans are the weak link here – state-of-the-art technical defenses become useless if hackers can use social engineering to trick an employee into handing over their passwords and giving them entry into the company’s systems.

Employees need to be made aware of the wide range of phishing and other social engineering attacks, how to recognize them, and what to do if they become suspicious of an attack. They need repeated training to both remind them of the various attack possibilities, as well as just how serious the results can be.

It’s important to encourage a company culture of phishing awareness, and also to make employees feel comfortable with asking someone in IT if they ever become suspicious or aren’t quite sure whether a message is legitimate.

With regular training to defend against phishing and other modes of social engineering, it becomes much more difficult for a hacker to gain a foothold inside a company. This significantly reduces their chances of launching a successful business email compromise attack.

Preventing malware

Keyloggers and other spyware are also often used by hackers to find out the passwords of their targets. They often slip this malware onto the computers of their unsuspecting victims, then wait for the program to send back the login credentials they desire.

If companies want to minimize the chances of business email compromise and other attacks, then they need to have the right tools and policy in place to limit the chances of malware ending up on their systems. Some of the key tactics for reducing malware infections include:

  • Keep operating systems, browsers and other apps updated to the latest versions – When developers become aware of security holes, they generally fix them and issue the patches with the next update. If your systems and applications aren’t being updated as soon as possible, hackers can use the latest vulnerabilities to make their way in. If you enable auto-updates wherever possible, you can enjoy the security benefits without having to lift a finger.
  • Only allow trusted programs to be installed on work computers.
  • Have a well-configured firewall and antivirus solution in place.
  • Make sure employees are aware of the social engineering tricks that can be used to manipulate them into downloading malware.
  • Block insecure websites.
  • Enforce strong and unique passwords – These can help to prevent hackers from being able to access your company’s systems, which stops them from installing malware once they are inside.

Email filtering

Email filtering can also play a role in reducing business email compromise. Well-tuned email filters can significantly reduce the number of phishing emails that make their way into employee inboxes, which helps to prevent them from falling for these traps. They can’t be deceived if they never receive the phishing attempt.

While email filters certainly won’t hurt, it’s important to recognize that email filtering won’t be able to block many business email compromise attacks. This is because many of these scam emails are highly tailored to their targets, rather than general emails spammed in bulk.

When attackers take the time to construct these messages carefully, filters often can’t tell the difference between these scams and legitimate emails, so there is no way for the filters to block the messages.

It’s also worth noting that email filtering can’t protect an organization if the attacker has hijacked an employee’s account. If the message is coming from a company account, the filter won’t know whether or not it has been compromised by an attacker.

Flag domain spoofing attempts

Organizations can adopt several different measures to reduce the chances of email spoofing attacks succeeding. They can implement systems like DKIM, SPF and DMARC to either flag when emails originate externally, or when the reply address is different than the from address.

In both cases, when an employee receives a spoofed email that appears to have come from within the company, they will see that it has been flagged, which notifies them not to trust the message.

Look out for spelling and grammatical errors, or a strange communication style

A lot of cybercriminals are non-native English speakers, so their attempts at business email compromise may come with far more errors than would normally come from the sender. Many of us also have a noticeable style when we write our emails – if an employee suddenly receives a message that doesn’t match the usual tone, style or quality of their correspondent, they should be suspicious.

If an employee notices any of these inconsistencies, they should take the time to investigate and maybe show the emails to IT or a knowledgeable coworker. They need to make sure that they don’t rush into any suspicious circumstances, or give in to any requests to transfer money.

Implement an appropriate security policy

An organization’s security policy needs to take its assets into account and come up with an overall framework that helps to reduce the unique risks that it faces. If your company’s security policy doesn’t take business email compromise scams into account, then it will need to be reviewed and updated with a new plan for how it will combine technology, procedure and organization to minimize these risks.

Follow procedures and always be a little suspicious

If employees receive an email from a higher up that demands they break the rules, they need to refuse the request. Procedures are generally there for a reason – to prevent problems from occurring.

Employees should be on the lookout for strange requests in general, and always notify the appropriate party when they receive demands that are out-of-the-ordinary. If an odd email comes from their direct boss, it may be best to contact them by phone or in person, just to confirm that there is no foul play at hand.

Alternatively, the employee may be able to take their concerns to the IT department or other authority figures. It’s much better for an employee to ask when in doubt – it only takes a few minutes, and can prevent tremendously expensive mistakes from occurring.

Companies need to create a culture that encourages this type of double-checking – if employees are shot down for their questions, then they are much less likely to take these simple steps that can save organizations from disaster.

The defense against business email compromise checklist

  • Revise the security policy to take the risks of business email compromise into account.
  • Ensure that all employees follow the policy without exceptions.
  • Encourage a culture of asking questions and confirming requests whenever employees come across something unusual.
  • Regular phishing and social engineering training.
  • Minimize malware entry points.
  • Adopt an appropriate email filtering system.
  • Flag domain spoofing attempts.

Even with all of the above procedures and tools in place, it’s not possible to completely eliminate the risks of business email compromise. If attackers are motivated enough, they can launch incredibly sophisticated scams that could trick the best of us.

Despite this, an organization that takes the time to implement all of the above and actively monitor the latest developments in business email compromise will reduce the threats it faces to a very manageable level.

With the right procedure and tools, it becomes much more difficult to successfully mount these attacks. In most cases, cybercriminals will simply move on to easier targets when they discover your organization’s formidable defenses.