E R T N
P
X
E INIO
OP
invoices that need paying or from the
corporate law firm.
In some cases, executive accounts are
hijacked by hackers via phishing attacks
or credential stuffing and then used to
carry out the same scams. However,
this time it’s even harder to spot the
malicious intent as there are no tell-
tale signs of spoofing. Sometimes HR
or finance staff are targeted directly to
harvest employee information designed
to make future attacks more convincing.
A billion-dollar problem
According to the FBI, BEC losses
accounted for nearly half of the US$2.7
billion (£2 billion) linked to reported
cyberattacks in 2018; more than any
other cybercrime category. That’s
despite the number of victims (20,373)
being relatively low.
Separate figures claim a 133% increase
in BEC incidents, while over half (53%)
of respondents to a Lloyds Bank
survey last year claimed they’d spotted
fraudsters posing as their boss. The
lender estimates around 500,000 UK
SMEs have been hit, with 7% claiming
they’d experienced financial losses
and 6% saying they had to make staff
redundant as a result.
In fact, BEC is a threat to big-name
brands, SMEs and everyone in between.
Fraudsters made €19 million (£16
million) from film company Pathé and
€50 million (£43 million) from Austrian
aerospace firm FACC, both resulting
in not just monetary loss but the firing
of the firm’s respective CEOs. Most
recently, Google (US$99 million, £77
million) and Facebook (US$23 million,
£18 million) were defrauded huge sums
by a single scammer who recently
pleaded guilty in a US court.
Scammers get smart
If tech giants like these, and their
digital-savvy employees, can be caught
out, then so can the vast majority of
42
businesses. The scammer that targeted
Google and Facebook went to great
lengths to trick the victim organisations
and stay hidden from investigators,
opening bank accounts in the name of
a supplier company before sending fake
invoices demanding payment.
He’s even said to have forged their
corporate stamps on fake contracts and
letters to deceive the banks the funds
were wired to.
In another sign of the growing
professionalisation of BEC campaigns,
one firm last year revealed the existence
of a new organised crime group which
used commercial lead generation
services to identify 50,000 executives to
target, 71% of whom were CFOs.
The sophisticated ‘London Blue’
operation is an international outfit in
which each member has a specific role,
from lead gen to customising emails,
receiving and laundering funds, and
recruitment of money mules. Most
recently, a new target list of 8,500 execs
in Asia and the US was uncovered.
It’s not just email channels that IT
security teams need to be monitoring. In
another relatively new tactic, scammers
try to transfer the victims to mobile
platforms as soon as possible. The
instantaneous communication of SMS
or IM makes it harder for the victim to
stop and think about what’s happening
to them.
This is a particularly useful method
for gift card scams in which the
victim is tricked into buying a set of
gift cards on behalf of the ‘CEO’ or
similar. After purchasing, they’re told
to scratch the backs off to reveal the
redemption codes, take a photo and
send immediately. These codes are then
monetised online.
There’s no single
silver bullet solution
to the growing threat
of BEC to corporate
reputation and the
bottom line.
Tackling the threat
There’s no single silver bullet solution to
the growing threat of BEC to corporate
reputation and the bottom line. However,
by focusing on cybersecurity best
practices combining technology controls
Issue 15
|
www.intelligentciso.com