Business email compromise (BEC) happens when a hacker manages to steal the username and password of an email account and impersonates the real owner to scam the company, its vendors, suppliers, business partners, or even its employees for money or sensitive information for further attack or criminal use.
Figure 1. Illustration of How BEC works
This is different from the spam mails that you are receiving all the time because the hacker is pretending to be the owner of this genuine email account which is a trusted source for all the email recipients. The best Spam filter will let the emails from this genuine but compromised account pass through. Hence the success rate of BEC scamming or defrauding is much higher than the normal spam, spoofing, or phishing email.
Let’s take a look at some cases of BEC in the past.
Nikkea’s $29 million vendor compromise attack
In 2019, a US employee at Japanese media conglomerate Nikkea transferred a staggering $29 million to a hacker impersonating a Nikkea vendor. This new spin on business email compromise is known as vendor email compromise, in which a vendor’s email is compromised and then used to email customers and clients. With a hacker using a compromised email address, there is no reason for a victim to be suspicious about requests for payment.
What’s notable about the above examples is that all involve the diversion of large sums of money. In other words, it would be extremely difficult for any of the above transactions to go undetected for long. This is precisely why the FBI has a good recovery rate: quick reporting equals fast response and recovery.
To cope with the quick response rate of authorities, hackers have been hitting smaller targets—SMBs—and requesting smaller sums of money in increments. This makes the transactions more likely to go undetected for a longer duration, giving the hacker time to clean out accounts and move on to the next target.
Financial firms got BEC attack and lost 1.3 million
In another example, the attackers infiltrated and monitored the Microsoft 365 accounts of three financial firms. After creating lookalike domains for these firms and for their partners, accounts, and banks, the criminals diverted certain emails to these phony domains. Using this type of “man-in-the-middle” scheme, the groups behind the campaign managed to request and receive money transfers worth more than $1.3 million.
US based business: US$400,000 loss from Business Email Compromise
The payments team received an email from the CEO, asking that payments be set up for new beneficiaries. A member of the team created and authorised the payments. By the time the team realised that the requester’s email address did not exactly match the CEO’s, it was two days later and the perpetrator had stolen nearly US$400,000.
Global commodity trading platform provider: US$1,200,000 loss
An employee received an email from the CEO, requesting a new payment. This was authorised and made by two other staff members, the first employee even confirming with the CEO that the payment was legitimate. It was later discovered that the CEO’s email had been compromised, and that the CEO and employee had been talking about two different payments. The company lost US$1,200,000.
S$32 million lost to email scammers impersonating business partners, employees: Police
SINGAPORE: Victims have lost at least S$32 million to scammers impersonating business partners or employees, the Singapore Police Force said in a news release on Tuesday (Nov 26).
From January to September 2019, police received 276 reports of such scams, where scammers used hacked or fake email accounts to pose as business partners, requesting fund transfers from the victims.
So how is this going to affect your business?
Obviously, the revenue loss to the scammer is a huge blow to the company’s bottom line. When your customer transfer payment to a designated bank account stated in an official email originated from your company, they tend to believe they have paid, regardless if your email account was compromised and the email was sent by a hacker.
When this incident is made known to other customers and suppliers or vendors in the market, it will put quite a big dent in the company’s reputation.
Last but not least, your relationship with the customer (who transferred the money according to the hacker’s instruction) would really suffer. Worse, you may never get any repeat order from this customer.
Since your spam filtering software will not solve this problem, setting up best practice in your SOP to help you and your team defend BEC will definitely help.
- Establish written processes and procedures for handling financial transactions, including call-back procedures or in-person confirmation. This is especially true for your customer.
- Contact the vendor directly to confirm email requests for financial transactions.
- Limit the number of employees authorized to make financial transactions.
- Increase employees’ awareness of BEC and phishing emails.
Prevention System Against BEC
Best practice and SOP only work when they are enforced religiously which is not an easy task. Therefore, in order to mitigate BEC where Spam filtering software fails, AfterOffice has developed the Suspicious Access Prevention (SAP) feature which blocks any email login from outside of Malaysia even with the correct username & password, as most of the hacking activities are done from overseas.
When login with the real owner’s password happens outside of Malaysia, the SAP email alert will be sent to the admin as well as our support team. If the user is actually travelling oversea, the admin can help disable the SAP for the period until the user is back home.
If the user is not travelling oversea, then very likely the user’s laptop or PC system has been infected by Malware with keg logger which steals all username and password in the system while the user is logging in. First thing the company email admin needs to do is to reset the password, followed by a thorough clean-up on the user system. Or else resetting the password will not help at all if the malware is still hiding. The best way to get the malware out of the system is to reformat the hard disk. Hence, having all your files backed up is essential.
When the employees need to travel overseas, the admin can disable this feature for the traveling period. This has helped prevent many of our customers from falling into scams from such type of BEC attack.
If you have any questions regarding BEC or on your web and email hosting requirements, post them at the following preferred contact channels at your convenience.
Office: +603-7877 4680 WhatsappMe
The Commitment of AfterOffice Team:
Web & Email Hosting Cost Savings
One of our existing clients, a JV of Taiwanese and Japanese manufacturer, used to pay the amount of RM 7,056 per year for their email hosting services, and we managed to cut their email hosting services annual cost to RM 3,500 to serve all their email users. That is more than 50% cost savings.
We are more than happy to help your business save up to 50% on your web & email hosting. Even if you are paying less than 1k a year right now, we will find ways to get you the saving with additional value, especially on the mitigation of Business Compromise Email (BEC).