Police: Online Fraud Advisory: Business E-mail Compromise (BEC) Scam

The Bermuda Police Service (BPS) wishes to advise the Bermuda business community in regards to an emerging cyber threat named ‘Business Email Compromise’ (BEC), also called ‘CEO fraud’, which has so far resulted in the loss or attempted loss of significant sums from local businesses.

Organised Crime Groups make use of publicly available contact information to collect email data of company executives and accounts department employees. An email impersonating the executive is sent to the accounts department employee, which requests an urgent overseas payment to be made. An example of a spoofed email is attached. The below example relates to a generic email taken from the internet.

In 2016, the FBI issued a press release confirming this type of fraud had seen a 1300% increase, with a combined loss of over $3 billion (https://www.ic3.gov/media/2016/160614.aspx).

The FBI note the characteristics of Business Email Compromise include:

Businesses and associated personnel using open source e-mail accounts are predominantly targeted.
Individuals responsible for handling wire transfers within a specific business are targeted.
Spoofed e-mails very closely mimic a legitimate e-mail request.
Hacked e-mails often occur with a personal e-mail account.
Fraudulent e-mail requests for a wire transfer are well-worded, specific to the business being victimized, and do not raise suspicions to the legitimacy of the request.
The phrases “code to admin expenses” or “urgent wire transfer” were reported by victims in some of the fraudulent e-mail requests.
The amount of the fraudulent wire transfer request is business-specific; therefore, dollar amounts requested are similar to normal business transaction amounts so as not to raise doubt.
Fraudulent e-mails received have coincided with business travel dates for executives whose e-mails were spoofed.
Victims report that IP addresses frequently trace back to free domain registrars.

Detective Superintendent Sean Field-Lament of the BPS Crime Division states – “I wish to raise awareness of the Bermuda business community in regards to an emerging cyber threat named ‘Business Email Compromise’ (BEC), also called ‘CEO fraud’. The Organized and Economic Crime Department has received three reports in the last 10 days from local businesses regarding significant cyber-enabled fraud incidents. Two frauds resulted in the loss of $1.3M and $4M in separate incidents, and the third attempt at a different business was discovered before funds were actually transferred. The BPS would encourage all companies to review their business processes to guard against this type of cyber-crime.”

Prevention and awareness are the key suggestions for protection and best practice:

Businesses with an increased awareness and understanding of the BEC scam are more likely to recognize when they have been targeted by BEC fraudsters, and are therefore more likely to avoid falling victim and sending fraudulent payments.
Businesses that deploy robust internal prevention techniques at all levels (especially targeting front line employees who may be the recipients of initial phishing attempts), have proven highly successful in recognizing and deflecting BEC attempts.
Some financial institutions reported holding their customer requests for international wire transfers for an additional period of time, to verify the legitimacy of the request.

Further to the above, the FBI has compiled a list of self-protection strategies:

Avoid free web-based e-mail accounts: Establish a company domain name and use it to establish company e-mail accounts in lieu of free, web-based accounts.
Be careful what is posted to social media and company websites, especially job duties/descriptions, hierarchal information, and out of office details.
Be suspicious of requests for secrecy or pressure to take action quickly.
Consider additional IT and financial security procedures, including the implementation of a 2-step verification process.

For example –

Out of Band Communication: Establish other communication channels, such as telephone calls, to verify significant transactions. Arrange this second-factor authentication early in the relationship and outside the e-mail environment to avoid interception by a hacker.
Digital Signatures: Both entities on each side of a transaction should utilize digital signatures. This will not work with web-based e-mail accounts. Additionally, some countries ban or limit the use of encryption.
Delete Spam: Immediately report and delete unsolicited e-mail (spam) from unknown parties. DO NOT open spam e-mail, click on links in the e-mail, or open attachments. These often contain malware that will give subjects access to your computer system.
Forward vs. Reply: Do not use the “Reply” option to respond to any business e-mails. Instead, use the “Forward” option and either type in the correct e-mail address or select it from the e-mail address book to ensure the intended recipient’s correct e-mail address is used.
Consider implementing Two Factor Authentication (TFA) for corporate e-mail accounts. TFA mitigates the threat of a subject gaining access to an employee’s e-mail account through a compromised password by requiring two pieces of information to login: something you know (a password) and something you have (such as a dynamic PIN or code).
Significant Changes: Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via their personal e-mail address when all previous official correspondence has been through company e-mail, the request could be fraudulent. Always verify via other channels that you are still communicating with your legitimate business partner.
Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail. For example, legitimate e-mail of abc_company.com would flag fraudulent e-mail of abc-company.com.
Register all company domains that are slightly different than the actual company domain.
Verify changes in vendor payment location by adding additional two-factor authentication such as having a secondary sign-off by company personnel.
Confirm requests for transfers of funds. When using phone verification as part of the two-factor authentication, use previously known numbers, not the numbers provided in the e-mail request.
Know the habits of your customers, including the details of, reasons behind, and amount of payments.
Carefully scrutinize all e-mail requests for transfers of funds to determine if the requests are out of the ordinary.

Additional information is publicly available on the United States Department of Justice website at https://www.justice.gov/criminal-ccips/ccips-documents-and-reports under the ‘Topical White Papers’ publication entitled “Best Practices for Victim Response and Reporting of Cyber Incidents