OneVoice CSDA Newsletter,  September 2017

BEC or CEO Fraud

Article 2 in a series of 3.

By Michael Menz, Director, Hewlett Packard Enterprise

Do you know what “BEC” stands for? Not David Beckham, everyone knows David and the Manchester United soccer team. This BEC stands for Business Email Compromise. Another name is “CEO Fraud.”

Criminal hackers are like every other businessman: they want to maximum the profit for minimum investment/their time. This type of scam is very profitable since it only needs to be successful a few times to be highly cost-effective for the criminal hacker.

Criminal hackers will first do their research before launching an attack. They select the business on which to launch a BEC attack, then use social engineering skills and public records to find out the name and email address of the CEO and CFO. They decide who their victim will be within the business, normally employees in the financial side. They look for a person in the finance department who manages money. The criminal hacker will send a fraudulent email, impersonating the CEO or CFO, and try to trick their victim into initiating one or more wire transfers.

An offshoot of this trick is to send an email to a victim business’ customer who pays their bill via online money transfers. The criminal hacker will spoof the sender address and ask the victim company to change the banking number because of a recent change in banking. They make the change thinking they have been communicating with the legitimate business but it has really been the criminal hacker.

A successful BEC attack results in successful intrusion into the victim’s business systems, unrestricted access to the victim’s employee credentials, and substantial or massive financial loss for the company.

Some of the other techniques criminal hackers use could be Spoofing or typosquatting legitimate email addresses, using a domain name similar to the targeted business’ actual domain name. They will use an urgent tone, requesting that the funds transfer is done “ASAP.” They are needed now. The CEO or CFO is in a meeting and they cannot be disturbed during the meeting by email exchanges or phone calls. They will trick the victim again by implying that the sender is using a device to write the email by using the well-known and frequently-used phrase “Sent from my iPad,” in lieu of the corporate email signature. These techniques are very effective by implying the email is sent from a mobile device which excuses any poor English, misspelling, or lack of an email signature. Those are triggers to normally recognize phishing emails. The “ASAP” is important because the sender would have waited until he was back at his desk. Hackers might also use social engineering to find out when the executives are traveling for business and tailoring it to the counties they are traveling in making their scam even more credible.

So, what can you do to stem the tide on this type of fraud?

  • Educate your employees about the scam. Have them monitor email addresses in their inboxes to avoid spoofing or typosquatting.
  • Train them to always question any emails requesting fast actions, whether they seem unusual or not, especially if the request is not following normal procedures.
  • Advise them to make a phone call to verify the legitimacy of a business partner or supplier by a known good number, not one sent in the email.
  • Use two-factor or multi-level authentication for initiating wire transfers.

Until next time, Be Safe

Michael Menz – Michael is a Director for Hewlett Packard Enterprise, the eDiscovery, Investigations & Forensics teams.

His prior career was a detective for the Sacramento Sheriff’s Department, High Tech Crimes Task Force.