• United States



Contributing writer

Business email compromise attacks cost millions, losses doubling each year

Oct 01, 201913 mins

Cybercriminals follow the money, and you need look no further than Toyota Boshoku's recent $37 million loss to see why many are turning to BEC scams.

In August 2019, someone at Japan’s Toyota Boshoku Corp. received fraudulent payment instructions by email to send 4 billion yen (about $37 million) to a third party — which they did. “We became aware that the directions were fraudulent shortly after the leakage,” the company disclosed in a statement.

The company reacted quickly once it realized the fraud and took appropriate actions to recover their losses — a prospect experts believe unlikely. If it can’t recover the money, it might be forced to restate its earnings forecast downward. That could have a negative impact on its stock price.

This is just the latest high-profile example of business email compromise (BEC). “I’ve seen this happen at least 100 times personally,” says Robert Wheeler, CEO of Strategic Consulting and retired general who was previously a deputy CIO at the Air Force. For example, attackers were recently able to get into a company’s systems, and the CFO received an email from the CEO asking for a large amount of money to be transferred.

The company had security in place, Wheeler says, but this particular attack was able to get through. What saved the company was that they had a process in place that called for a face-to-face confirmation for certain transactions. It was a medium-sized company, so this requirement wasn’t particularly onerous. “That CFO went down the hallway and talked to the CEO about the money,” Wheeler says, “and the CEO said, ‘What money?’ That was their procedure that they had set up for cases that hit a certain dollar amount. It saved them from sending that money.”

It requires a commitment from senior management to put these kinds of policies in place, Wheeler says. “The culture of the C-suite drives the amount of risk the company accepts.”

What is business email compromise?

BEC is a form of spear phishing where criminals target key individuals who control the flow of finances. By impersonating financial officers and CEOs, these criminals attempt to trick victims into initiating money transfers into unauthorized accounts.

Typically, attackers compromise the email account of a senior executive or financial officer by exploiting an existing infection or via a spear phishing attack. The attacker lurks and monitors the executive’s email activity to learn about processes and procedures within the company. The actual attack takes the form of a false email that looks like it has come from the compromised executive’s account being sent to someone who is a regular recipient. The email appears to be important and urgent, and it requests that the recipient send a wire transfer to an external or unfamiliar bank account. The money ultimately lands in the attacker’s bank account.

BEC fraud is massive and doubling each year

According to a report released by the FBI in September 2019, the global total for BEC fraud surpassed $26 billion since mid-2016. The losses this year were more than double last year’s total, the agency said, with the scam reported in all 50 states and in 177 countries. The primary destinations for stolen funds were banks in China and Hong Kong, followed by the UK, Mexico, and Turkey.

The FBI reported a total of $12.5 billion in global losses from 2013 to 2018 and $2.3 billion in losses from 2013 to 2016. That puts total losses from 2016 to 2018 at $10.2 billion. That means losses from 2018 to 2019 are around $16 billion. Or that 62% of the losses from 2016 on occurred in the past year. So, it’s growing, and fast.

This summer, the Financial Crimes Enforcement Network (FinCEN, a division of the US Treasury department), reported that the total number of suspicious activity reports filed on financial transactions rose from 500 a month in 2016 to more than 1,100 a month in 2018, and the total value of these reports nearly tripled from an average of $110 million per month in 2016 to to $301 million per month in 2018. FinCEN’s rapid response program has been able to recover only $500 million of the money since 2014.

These increases correlate to the overall BEC fraud growth reported by the FBI, FinCEN said. The manufacturing and construction industry was the top target, accounting for 25% of all reported incidents, followed by commercial services, real estate, financial services and health care.

Insurance giant AIG issued a report in July showing that BEC fraud is now the single biggest type of cyber breach claim, accounting for 23% of all reported incidents in 2018, up from 11% in 2017. In terms of insurance claims, BEC is now ahead of ransomware, data breaches caused by hackers, data breaches caused by employees, impersonation fraud, virus or malware infections, system failures or outages, physical loss of assets such as stolen laptops and all other types of claims.

According to a report released this spring by the Association of Financial Professionals (AFP), 81% of companies had received fraudulent emails purporting to come from their own senior executives last year. Forty-four percent received emails purporting to be from vendors, and 33% said they received emails pretending to be other third parties requesting payments or updating payment information. Many companies didn’t fall for those emails. But, according to the survey, many did – 54% of companies said they had lost money, and 29% said they lost more than $100,000.

Larger companies were affected more. According to the survey, 64% of organizations with more than $1 billion in revenues reported BEC losses, and 25% said that losses were over $1 million. According to the AFP, 43% of BEC fraud involved wire transfers, 33% involved ACH credits, 21% involved ACH debits, and 20% involved checks.

Defensive measures

Companies are already taking steps to defend themselves. According to the AFP survey, 76% prohibit payments initiated by email messages or other insecure channels, 76% conduct anti-phishing education, 68% have some form of verification processes in place, and 65% have two-factor authentication for account access. In addition, 51% of companies have a separate phone verification step for fund transfers.

However, there are fewer defenses on the cybersecurity side of the equation. According to the AFP survey, only 30% of companies have technology in place to flag emails with addresses that are similar to company emails, and only 10% use a dedicated PC for payments that has no links to email, web or social networks.

“The controls are increasing,” says Magnus Carlsson, the organization’s manager for treasury and payments, “but we see that these scams keep increasing.” That’s because the criminals keep changing things up, he says.

Since the payoffs can be quite significant, the hackers can spend the time and effort it takes to infiltrate a company’s systems, follow negotiations, and then step in at just the right time in the payment process to divert the money. “It can be weird to think of the lengths they go,” says Carlsson.

Companies need to implement and force verification, he says, confirming payment destinations and amounts. “Based on our survey, it looks like it’s not used enough,” he says.

Companies also need to move away from using email for payments-related communications. According to another AFP survey, released this month, 68% of organizations use email to send remittance information associated with ACH payments. That’s because email is easy and free. Sending the information through a separate payments portal or an EDI communication system adds a level of complication. Using the ACH infrastructure itself to send the remittance information costs money, while emails are free. “We’re using email at too big an extent, particularly for sensitive information,” says Carlsson. “It’s something we need to take a look at.”

Time is money

If the fraud is caught immediately, banks can sometimes reverse the transfers and get some or all the money back. The more of a delay there is, the more time the fraudsters have to move the money to other accounts. With each hop, the money goes somewhere with fewer security controls, less cooperation with authorities, weaker know-your-customer policies, until finally the trail disappears altogether.

According to the AFP survey, only 42% of frauds were discovered within a week. Even if the discovery takes just two or three days, that may be enough time for the criminals to spirit the money away, says Carlsson. Plus, the US financial system is moving to same-day ACH payments, but 56% of companies say they’re not taking any steps to mitigate against the additional risk.

4 business process fixes to stop BEC

Set up verification processes

Wheeler recommends that companies set up thresholds at which additional verification steps kick in. For example, transactions larger than a certain amount, or a series of smaller transactions in which too many transfers are requested in a time period. Of course, companies can go overboard with checks and balances as well, he says. One company he works with has nine layers of verifications, which slows down payments significantly, aggravates business partners, and slows down business.

Take the embarrassment out of BEC victimization

One problem with making these kinds of business process changes, adding email authentication technology, or doing anti-phishing training is that the department responsible for the fraudulent transfer may be too embarrassed to admit that they made a mistake and to ask for help. In addition, lower-level employees may be uncomfortable saying “no” to an email that seems to come from their CEO or other senior executives.

Is embarrassment a big factor in enabling BEC fraud? “If you were to ask me this question 18 months ago, my answer would be an unequivocal yes,” says Wheeler. “But people are starting to realize that this is a real problem and you can’t push it under a rug.”

Embarrassment also has different amounts of impact depending on geography, he says. “When you look at the cultures of other nations, saving face is an important part,” he says. “That is something that will change over time. In the US, we’re probably at the leading edge of being willing to deal with it up front and realize that yes, we’ll be embarrassed, but we need to deal with it because we can’t let it happen again.”

Get finance and security talking

In addition to adding financial controls, such as secondary confirmation steps, companies need to start encouraging finance teams to communicate better with cybersecurity experts. Some simple security controls might make a big impact to the financial department, but security staffers might be focusing on tasks that have a higher impact on computer networks and systems.

Cybersecurity pros need to avoid a “blame the victim” mentality. Yes, the CFO shouldn’t have put through the payment. Their job would have been easier if the company was using DMARC to block spoofed email addresses, checking whether the display names matched anyone in the corporate directory but the actual email addresses were unknown, and enforcing two-factor authentication for all company email accounts.

Enable fraud detection and prevention technology

Let’s start with DMARC.  Domain-based Message Authentication, Reporting and Conformance is a technology standard that confirms that email comes from where it says it does and prevents criminals from spoofing email addresses.

In July 2019, research firm 250ok published an analysis of 25,700 domains owned by Fortune 500 companies, e-commerce firms, educational institutions, government agencies, financial services firms, travel firms and the top 1,000 SaaS providers. These are all high-profile targets for criminals, but 80% of these domains had no DMARC protections in place, and only 8% had their systems set to automatically reject or quarantine bad emails.

One group working to change that is the AuthIndicators Working Group, a vendor-neutral industry group trying to get companies on board with DMARC authentication. The problem, says group chair Seth Blank, is that large companies typically have lots of different email services and enabling DMARC can take some work. “If you’re standing up an email domain name from scratch, then DMARC is easy,” he says. “It’s really nice and crisp. But you’ve been around for a long time it can be hard to go out and find who owns all the email servers and figure out how to get the authentication working.”

Once it’s in place, though, it’s a major security improvement. Approximately 60% of BEC emails involve domain impersonation, he says. The other 40% have either a look-alike email address or a personal email address and use the display name to trick the recipient into thinking that the email is from their CEO or other senior executive.

The stick — all the cases of BEC fraud hitting companies — is clearly not having enough of an effect, says Blank. So, the organization is adding a carrot to the equation. Companies that put DMARC in place will get their company logos displayed in the recipient’s inbox. For a big consumer-oriented company, that could add up to a lot of free brand impressions every month, he says.

It’s called BIMI, Brand Indicators for Message Identification. Yahoo mail is already on board, and Google signed up in July 2019. “Google will be piloting BIMI in 2020,” says Blank. Other backers include LinkedIn, Comcast, Verizon Media and Valimail, where Blank is the director of industry initiatives. Other email providers are expected to launch BIMI trials next year.

Authenticating emails won’t solve the BEC fraud problem completely. For example, if the attacker is able to take over the CEO’s actual email account, then the emails will, in fact, be authentic. It will significantly cut down on the attack surface and make it much more difficult and expensive for attackers.

Meanwhile, 2FA and user behavior analytics that spot suspicious access can help reduce the risk of email account takeover attacks. “The challenge — and this goes for any organizational change — is that there’s so much momentum in how things have always been done,” says Matt Wilson, chief information security advisor at BTB Security, a cybersecurity consulting firm. “It would be great if everyone would do DMARC, if they would do an identity check.”

In fact, the technology is already there and ready for companies to turn on. BTB Security, for example, uses Office 365 Email. The platform automatically configures everything necessary for DMARC, he says. “This should bring many organizations in line with a strong security practice without any intervention of their own.”

Every major email security vendor has a configuration option to block external emails that have local domains, Wilson says. “That’s a very simple thing to do, with a tool we already own, with almost no downside,” he says. “But companies are having to be dragged kicking and screaming. Maybe once they’re burned, they’ll do something about it.”

Another area where technology can help reduce BEC fraud is in creating an escalation path for users to follow. Today, most companies don’t have an escalation path, says Eric Favetta, professor of cybersecurity at Fordham University, who’s worked as a security consultant for more than 300 financial services companies. “If the user is able to figure out that it’s a phishing attack, they’ll just hang up the phone or delete the email,” he says. “And the attacker goes onto the next person at the company.”

Enterprises need to set up easy-to-use systems for employees to flag emails and other communications that look like phishing or social engineering attacks, so that other employees will know that there’s a potential campaign underway against them and they should be on the alert.

It may be costly to implement security controls and update business processes, says Favetta. But just accepting the risk and letting the fraud happen would be a big mistake. “I think people understand that if they do not secure their assets, they’ll eventually go out of business.”