Business Email Compromise: How Big Is the Problem?AusCERT Session Focuses on Origins, Traits of Fraud Schemes
The business of executive email hacking is booming. Wedging themselves deeply inside company email systems, fraudsters are stealing hundreds of millions of dollars by impersonating key personnel and initiating large wire transfers.
See Also: DevOps - Security's Big Opportunity
The FBI said in August 2015 that the scam, known as business email compromise, had cost organizations $1 billion worldwide. But in April, the agency raised its estimate, saying at least $2.3 billion had been lost. And those are only the incidents that have been reported.
"We don't really know how big a problem it is," says Donald McCarthy, vice president of operations with myNetWatchman, who gave a presentation at the AusCERT computer security conference near Brisbane, Australia, on May 26.
Lucrative and Simple Schemes
The losses are causing turmoil. On May 25, Austrian aerospace manufacturer FACC fired CEO Walter Stephan after the company lost $47 million in a wire fraud scam, Reuters reported. The attackers posed as Stephan in an email.
McCarthy has studied the schemes extensively. They're highly lucrative and devilishly simple. The attackers, many of whom are based in West African countries, use login credentials gained through phishing schemes to gain control of company email accounts.
Once inside, the fraudsters extensively study the company's processes and how employees communicate with one another, particularly around financial transactions. The attackers are patient, taking time to understand the relationships between key people in a company and learn how to mimic the right tone in communications so that a deception won't be detected.
When the time is right, a fake invoice or request is sent from a real employee's email account for a wire transfer.
"By the time the money is sent, it's very hard to claw back," McCarthy said.
Part of the problem is that companies have made themselves easy targets by publicly revealing too much information about their employees, he says.
"Companies love to put their executives out there front and center on their blogs," says McCarthy. "That really gives the attackers everyone they would need to know. They understand the relationships with stakeholders."
What has made companies as well as high net worth individuals vulnerable is that much of their critical financial communication takes place over email. If attackers have control of email accounts, no security product is capable of coming to the rescue.
The attacks essentially achieve "the effect of Eastern European malware without the malware," McCarthy says.
Even if a company suspects that email accounts have been compromised, it's often too late. Typically, the hackers set up new rules in a victim's email account that send copies of messages to their own accounts and then immediately delete those messages. Even if an employee changes their password, the fraudster still has access to communications.
"It's a great persistence mechanism," he says.
Not a Technology Problem
The problem of business email compromise is not really a technological one. The scams often rely on exploiting poor controls around how funds are approved for transfers, McCarthy says.
"It's a business process," he says. "If you structure your business process to counter this threat and you structure it well, it's going to survive more than this threat. That just costs you time."
For example, any request to transfer money should not solely rely on email, he says. Organizations should have another way to validate and authenticate payment requests, he explains, "whether it's picking up the phone or whether it's go down the hall to that CFO and validate the transaction. I know that the CFO is busy, and people are afraid to approach him, but I've seen it time and time again where that CFO was happy to delegate the 32 seconds that it took to either authorize or not authorize a transaction that potentially saved the company a half million dollars."