Business Email Compromise scams (or email fraud, CEO fraud – or any number of other descriptions) are on the increase.

This report from an email security firm (analysing 142 million emails) published in August showed that there had been an 80% increase in attacks in the last 12 months.

Business Email Compromise (BEC) uses the age-old art of deception.  It relies on the two weakest links in the cyber-security chain: humans and email.   In particular it exploits the way that we handle email.

The average worker sends or receives 121 emails per day.  That means we’re conditioned to actioning, filing or deleting emails quickly.  If an email comes from a trusted source and requests action that is expected – we deal with it and move on to the next one.  That’s the first chink in the armour.

The second chink in the armour is that email is inherently insecure.  We’ve talked many times about how open the technology is and how difficult it is to secure the contents.  It is readily intercepted and can be readily impersonated.  Email is the weapon of choice for cyber criminals – 91% of targeted attacks start with email.

Means, Motive and Opportunity

Business Email Compromise is a classic crime.  There is a motive, there is means and there is opportunity.

The motive is clear – businesses exchange invoices that lead to payment.  The primary means of payment is a wire transfer.   If the fraudster can get to the wire payment, it opens up some very big sums of money.

Email provides both means and opportunity.  If the fraudster can pose as one party in a transaction then we’re pre-conditioned to follow instructions sent by email.  This is the means.

The opportunity is when payment is about to take place.  If the destination of the wire transfer can be changed (or created) then money can be diverted quickly (and in many cases whisked away before anybody realises a crime has been committed).

Scam Number 1 – Updated Bank Details

This is almost too simple.  If the invoice can be intercepted, altered and then delivered without it looking any different then the Accounts Payable process can be tricked into making a payment to the fraudsters bank account.

The difficulty for the fraudster though is timing.  Many invoices are held for 30 days and if it’s a regular invoice then the Accounts Payable team will have payment details on file already and may become suspicious.

That’s where knowing the pattern of a transaction, timing and playing on either party’s need for urgency works for the fraudster.  

This is the common approach for ‘Friday Afternoon Fraud‘ which takes place in residential property transactions.  An email apparently from the conveyancing solicitor arrives on the day that client is desperate to complete the purchase.   The client believes that by making the payment they are speeding up the process.  The email tells the client that the bank details have changed and to make their payment to the new account.  The client sends a large sum of money directly to the fraudster.  Typical losses in this scenario are £70,000.

Scam Number 2 – Panic Message from ‘The Boss’

As well as being pre-conditioned to dealing with email, we’re often pre-conditioned to dealing with important requests from the MD, CEO, Finance Director or anyone else who controls our destiny.

This sometimes happens whilst the boss is on holiday – it only requires the fraudster to gain access to their email account (often done by getting them to click on a link that infects their machine with malware).

The request can be wonderfully human “Help, this is a bit embarassing – I’ve just found I’ve been sitting on an invoice and I need to get it paid quickly!”.   There might even be a prelude email:

Hi Jo – are you at your desk?

Can you deal with something urgent?

What conscientious employee couldn’t resist such a request from the big boss?  The next email gives details of the invoice, the supplier and the bank details.  The money is sent.  Nobody is any the wiser until much later.

Scam Number 3 – It’s safe to send the money now

This uses one of the classic setups for a deception – create a false sense of danger, remove it and use the reduced level of vigilance to strike.

We saw this happen recently in a particularly well executed sting.  It came in two stages:

  1. The “We’ve been hacked – please hold all payments on outstanding invoices until further notice” email – causing a heightened state of awareness (and of course checks made to ensure no payments have been sent)
  2. The second email message “All safe now – we’ve sorted the problems.  We’ve also updated our bank details to ensure everything is safe.  Please make payments on outstanding invoices”

It’s safe to send.  Let’s go.  Money was duly paid (not an insignificant amount).  Result?  Fraudster takes the money and the supplier is still expecting to get paid for goods delivered.  A double loss.

Scam Number 4 – Spoof Invoices

This is a fairly crude approach and relatively easy to spot.  But it gets through a surprising number of times.   This can be as simple as mimicking an email address or email sender (a quick check through most spam filters will spot a number of these sitting in there – where the sender email address isn’t actually the sender).

This relies on poor Purchase to Pay procedures – and is often a numbers game for the fraudster.  Target enough businesses with enough low value invoices and eventually a proportion get paid.   Nobody is any the wiser until much later.

Scam Number 5 – The Credible Third Party

This is similar to the ‘Panic Message’ modus operandi – but much easier to hide the new supplier.  

This can be an email from the CEO or the Finance Director stating that there is a confidential project involving a third party adviser (for example, due diligence on possible acquisition targets or a legal case).  The email prepares the Accounts Receivable exec for a follow-up email.   

The email then arrives from the now credible Third Party with an invoice exactly as expected.

“Why did we pay this new supplier £20,000?” – “Because you asked me to”

The common threads to all five scams are obvious:

  • Wire payments
  • Emails from a compromised or mimicked account that appeared credible and important in the recipients inbox
  • A recipient pre-conditioned to action messages from the sender

How do we prevent Business Email Compromise Scams?

Email and Wire Payments are here to stay.   Human nature and the way we deal with email is embedded.

It’s not a matter of IF anymore.  With Business Email Compromise it’s a matter of WHEN.   

If you use email you are vulnerable.    Take the request and instruction away from email and it removes both means and opportunity for the fraudster.   Don’t Transmit!