British Emporium Consultancy? Nope. Business Enterprise Controls? Closer, but no. BEC is the acronym for business email compromise. One of the contributions the era of cyber theft is making is the enrichment of the language. Phishing begot whaling, and on it goes.
A week ago my daughter casually mentioned that her boyfriend, who works as an independent contractor for a technology firm, had his IRS Form W-9 compromised. (The US Internal Revenue Service produces this form so that businesses can get information from vendors hired as independent contractors, including their social security number or taxpayer identification number). How did the compromise happen? The company’s HR director got an email from the company president, who was on vacation, stating he needed all the W-9’s immediately. The HR director promptly sent them. One might ask, as you undoubtedly are asking, why would the president want these forms? That would be the right question, one that, in this instance, did not get asked. This would be a good example of a business email compromise (BEC), a scam in which an attacker pretends to be an executive and sends a realistic-looking email to a colleague requesting a large wire transfer or sensitive company information like intellectual property or HR/payroll information.
Writing in JD Supra Business Advisor, Kathleen Porter set forth how BEC typically works. “BEC hackers and scammers involved are sophisticated—they monitor and study their victims for extended periods. They first identify the individuals at a business in finance, accounting or treasury functions who may send wire transfers. Then, they study the habits of these businesses and the individuals on LinkedIn, Facebook and other social media and wait for the right moment. Familiar BEC scams include emails from (i) a foreign supplier of a business with “new” wire transfer instructions for the next invoice payment, (ii) a traveling executive to a finance employee of the business to request an “urgent” and/or “confidential” wire transfer, (iii) the fraudster using a spoofed email to pose as a legitimate employee, customer or supplier of the business, or (iv) the fraudster posing as the attorney for the business requesting wire transfers relating to transactions or deals that are soon closing.”
BEC schemes are exploding. According to the FBI’s Internet Crime Complaint Center (IC3), $3.1 billion has been lost globally to BEC fraud. The IC3 said it has seen a 1,300 percent increase in losses from BEC attacks since January 2015. Moreover, there are recent cases suggesting that BEC approaches are now being used to deliver malware payloads as well, ratcheting up the threat level.
As it happens, even the newest of fraud schemes can be addressed by age old advice. It may be difficult to challenge an email from a senior corporate executive, but the prudent course remains…trust, but verify.
By Tom Davis, SDI Cyber Risk Practice
July 19, 2016