Business Email Compromise
Investigation – BEC Scam
What is Business Email Compromise (BEC Scam)?
Business Email Compromise (BEC) is a technique used by an attacker that allows him to gain access to a business email account and then he starts imitating the identity of the email account owner. Then he tries to trick employees, customers or partners with the purpose of sending him money to a third party bank account.
A malicious third party will usually an account with an email address that resembles the one on the organisations domain name, so that he can establish trust between the victim and their own email.
Sometimes this technique that we call BEC Scam is referred as a “man-in-the-email attack”.
The most common cases involve malicious third parties focusing their attention to the employees who are in control of company finances, such as accountants or personal secretaries and perform various techniques to trick them into issuing wire transfers to their bank accounts while they try to maintain trust, but in reality the money is paid to the scammer’s bank account.
BEC Exploits
In a BEC exploit, the attacker typically uses the identity of someone on a corporate network to trick the target or targets into sending money to the attacker’s account. The most common victims of BEC are usually companies that utilize wire transfers to pay international clients.
Although the perpetrators of BEC use a combination of tactics to trick their victims, a common plan involves the attacker gaining access to a business network utilising a spear-phishing attack in conjunction with some form of malware. If the attacker stays undetected, they can spend time studying all facets of the organisation, from vendors, to billing systems, to the correspondence habits of executives and other employees.
At an appropriate time – usually when the employee being impersonated is out of the office – the attacker will send a bogus email to an employee in the finance department. A request is made for an immediate wire transfer, usually to any trusted vendor. The targeted employee thinks the money is being sent the expected account, but the account numbers have been altered slightly, and the transfer is actually deposited in the account controlled by the criminal group.
If the money fraud fails to be spotted in a timely manner, the funds can often be close to impossible to recover, due to any number of laundering techniques that transfer the funds into other accounts.
Techniques used for Business Email Compromise
- Spoofing legitimate email accounts and domain names: Scammers using variations of corporate addresses and corporate domain names such as mike@mydomain.com to mlke@myd0main.com
- Spear – Phishing: Sending emails from trusted senders within the domain in order to extract personal or confidential information from victims.
- Ransomware: Sending emails with attachments such as invoices, legal documents or payment information about salaries so that the victim can open them and be infected.
Specific Types of BEC
These are some specific types of popular BEC Scams
- Fake Invoice Scheme: Perpetrators pretend to be the suppliers or customers of the company that is targeted and they request money transfers so that payments can be directed to an account owned by the scammers.
- CEO BEC Scam: Scammers often send emails to private secretaries of CEOs or to the accounting department, asking for urgent money to be paid in to their “secret” personal accounts
- Attorney Email Scams: The scammers to be lawyers or representatives from law enforcement agencies and request money to be paid into their account to avoid law suits.
- Data Theft: This attack is targeting HR departments and it is usually an urgent request to disclose personal information about employees of the company. It seems innocent but this is the first phase of a larger coordinated effort to penetrate the company.
BEC Scam Investigation
If you have been a victim of a BEC scam there should be a thorough research from digital forensics investigators and the legal department in order to issue a forensics report that will describe the incident in more technical detail.
Tictaclabs can help you in this investigation so you can contact us for further support.