The Rise of Business Email Compromise (BEC) and How PKI Can Help

There’s a new-ish acronym in town: BEC (business email compromise). BEC is what law enforcement agencies and analysts are now calling phishing that targets corporate structures and public entities, thanks to the rise in frequency and complexity of these scams. As network security hardens, bad actors have to find another way in. Too often, users are the weakest link in secure enterprise systems. After all, you can patch vulnerabilities in your software, but it’s hard to patch bad habits or gullibility in otherwise well-meaning employees whose jobs don’t revolve around cybersecurity or scam detection.

Employee Using Corporate Email

How Do BEC Attacks Work?

Fake Invoice Document
The playbook for BEC scammers is fairly consistent, with several common techniques. One that has been costly for public and private organizations alike is the “false invoices” scam, where scammers pose as vendors and request wires to fraudulent accounts. Sometimes bad actors will even work to compromise credentials from real professionals in those organizations to accomplish this feat, or at least spoof an email address that looks nearly identical to the vendor’s information. Another is “CEO fraud”, where criminals email members of the organization while spoofing or stealing the CEO’s identity, requesting credentials or payment. Bad actors may also pose as part of the IT team or other department with “authority” to gain credentials from high-level executives and other professionals to perpetrate multi-phase scams.

Another angle is the creation of realistic-looking emails from known service providers (such as Outlook or Adobe) requesting credentials or urging users to click on malware-ridden links. While this isn’t an exhaustive list, it shows the degree of social engineering that goes on in order to persuade employees to send money or information, or perhaps click on a link that will compromise the network. One thing is for sure: we’ve come a long way from old-fashioned 419 scams with laughable English and improbable stories.

No Matter the Organization Size, BEC Attacks Target All

Instances of BEC continue to proliferate, with criminals targeting organizations of all sizes, from all industry verticals, and on both sides of the public/private divide. Here are three examples:

$75 Million Dollars Graphic
A Belgian Bank Loses Over $75 Million
In one of the largest instances of BEC in recent years, Crelan, a Belgian bank, was scammed out of 70 million Euros (around $75.8 million) via CEO fraud in 2016. The worst part? This attack was only discovered after an internal audit. The scam itself was obviously so sophisticated that it didn’t raise any eyebrows as it was occurring.

$18 Million Dollars Graphic
An Indian Subsidiary Loses Over $18 Million in One Week
Chinese hackers targeted the Indian subsidiary of Tecnimont SpA, an Italian engineering firm, with a devastating CEO scam. The head of the Indian company was hoodwinked by an elegant fake email from someone appearing to be the CEO of the Italian parent company. In one week, $18.6 million was sent to offshore accounts in three payments.

$1.75 Million Dollars Graphic
Cybercriminals Steal $1.75 Million from a Catholic Church in New Brunswick, OH
No target is too small for cybercriminals, since these scams are fairly easy to perpetrate and can be sent to multiple organizations at once. A New Brunswick church lost $1.75 million when criminals pretending to be from the construction firm that they were working with compromised two employee email accounts and transferred funds to false bank accounts.

Number of BEC Complaints in 2019 Graphic
A cursory search of BEC incidents in the U.S. and abroad will net you many more stories of hoodwinked employees and lost millions, and the threat of BEC doesn’t seem to be abating any time soon. According to the FBI’s latest Internet Crime Report, 23,775 BEC complaints were received through the Internet Crime Complaint Center in 2019, with a noticeable uptick in crimes relating to the “diversion of payroll funds.” While most organizations are aware of scammers, the level of sophistication and social engineering involved in BEC scams today is significant. When one method becomes too well-known, they shift targets.

Close the Security Gap with PKI

So how can organizations get in front of this insidious threat? One way to close the gap is through PKI. HID IdenTrust® can provide TrustID™ personal digital certificates that fulfill a wide range of needs for your organization, including providing trusted identities for email, data encryption, digital signing, and VPN/application access credentials. Policies and procedures can only go so far to protect your organization. It’s time to harden your workforce against the threat of email scams by maximizing the effect of a time-tested, secure technology from a trusted provider.

Join our webinar to find out how PKI can keep your workforce safe from today’s evolving BEC threats.

Get the latest blogs on identity and access management delivered straight to your inbox.

Mrugesh Chandarana is a Senior Product Manager, Identity and Access Management Solutions at HID Global, where he focuses on IoT and PKI solutions. He has more than 10 years of cyber security industry experience in areas such as Risk Management, Threat and Vulnerability Management, Application Security and PKI. He has held product management positions at RiskSense, WhiteHat Security (acquired by NTT Security), and RiskVision (acquired by Resolver, Inc.).