What is business email compromise?
Business email compromise (BEC), also known as interception/impersonation fraud, can be defined as ‘a criminal act where cyber attackers illegally access an email account and communicate as if they are the user’ (Sabric, 2019).
Cyber criminals gain access to an individual’s business email and impersonate people who use that account (executives, senior managers or supply chain partners) in order to intercept and redirect invoices and also change banking account details to their nominated account details. They can also in some cases trick staff into authorising fraudulent transfers.
The risk is further increased where document management systems can be accessed online using the user’s email credentials. Attackers have been observed garnering further intelligence in order to shape their attack by trawling through debtor information on these portals.
Modus operandi observed
Recently, we have observed attacks on email portals aimed at compromising email accounts. Previously attacks were carried out using fake email accounts to impersonate individuals. This trend has changed in that attackers compromise the legitimate email accounts of staff members. Below is the step-by-step process that we have observed in the last quarter of 2019:
Employees to be targeted are identified by the attackers.
Attacks are launched against email platforms in order to compromise user credentials.
Once targeted mailboxes are compromised, mailbox rulesets are altered to move incoming emails with specific criteria, i.e. a particular client’s name or email address, to different folders and mark them as ‘Read’.
In some instances, where document management systems were available online, using similar credentials, attackers garnered further information regarding third parties to interact with. The focus was primarily on third parties with outstanding payments.
Additional rules are created to redirect incoming emails to the fraudulent email addresses.
Fake invoices are then generated by the fraudulent parties and attackers interact with clients or third parties using the compromised mailboxes in order to secure payment into their bank accounts.
Prevention is key!
Once funds have been transferred, recovering the stolen funds may be possible if detected early enough, often only with the help of law enforcement. Sound IT controls can help stop these scams in their tracks, such as:
What to do if you suspect your organisation has been scammed
Contact your local law enforcement agency immediately to report the matter.
Contact both your financial institution and the receiving financial institution to request that they stop or reverse the transfer.
Ensure that first responders obtain and store evidence in a digitally sound manner.
Seek advice from counsel about any legal obligations or protective measures, such as insurance coverage for any loss. In parallel, evidence should be secured. This includes the fraudulent communications and logs which are critical to investigating these matters.
Ensure that employees are aware of the scam, how it is being perpetrated, and that they could be a gateway for the scammer.
Finally, enhance controls to minimise the risk of falling victim to these types of attacks.
South African Risk Information Centre (SABRIC) – https://www.sabric.co.za
Ombudsman for Banking Services (OBS) – www.obssa.co.za