Not Worried About BEC? Here’s How Bad It Can Get
Business email compromise, or BEC, has become an increasingly important vector for online criminals seeking high-value paydays.
The basic idea is that the criminal engages one or more specific individuals inside a target company who are chosen because they have the authority to reveal the information or take the action the criminal is seeking. The attacker sends email to the target with a spoofed From address that matches the identity of a high-authority team member such as the CEO. The scammer seeks to engage the target individual in email dialog that ultimately leads to the request for a wire transfer for a large sum of money to a bank account controlled by the spear phisher.
The reason these attacks are successful is that it is perfectly appropriate for the impersonated individual to require this action from a subordinate. The only problem is that the ultimate destination for the money is not for the stated purpose but rather into the hands of a bad actor.
So these wire transfers, are they for a lot of money? In April 2016 the US government filed a court action to try to help an unnamed company recover money it lost to a BEC scam. How much money did the company lose?
$98,900,000. That’s how much.
Yes, a single company in a single incident lost not quite $100 million to a spear phisher communicating through email.
The good news for the unnamed company is that the initial receiving bank stopped $74 million of that money from making its way into the warren of accounts in various countries intended to swallow it up. But that still leaves $25 million in the wind.
This transfer resulted from a sophisticated BEC scam spoofing the email address of a vendor, but frequently these attacks spoof an internal address instead. Either way, email authentication cuts an attack like this one off at the knees.
One particularly interesting component of the attack is that an outside vendor was the party spoofed. The implication is that large organizations with a lot of power should require that their vendors, agencies, and partners have DMARC enforcement in place. By doing so and also enforcing DMARC on its own domains, one of these companies can make its entire ecosystem secure from these attacks.