If business email compromise was the premise for a heist movie, it wouldn’t even be in the script for “Ocean’s Nineteen.” There’s no car chase, no cool soundtrack, no excitement, no glam.
But here’s the thing: It’s dangerous, it’s crime, and it pays.
So what is it exactly?
Business email compromise, typically referred to as BEC, is a well-planned attack vector that requires perpetrators to spend time building an infrastructure, developing false identities and targeting companies and their supply chain partners or franchisees. It mandates a methodical approach and enormous patience.
Imagine the accounts receivable department of a big brand with many franchisees (hold the applause). A review uncovers an overdue payment of $100,000 from a franchisee that’s always been on time. The brand reaches out to the franchisee’s accounts person asking for an update, and gets a reply that the check is in the mail.
Now, look behind the scenes. The brand’s email asking for an update went from its Microsoft Exchange server to the franchisee’s Microsoft 360 cloud mail account. For one of many possible reasons, that franchisee is slow to read and respond to the message, allowing the bad guys to get to it first. Masquerading as the franchisee, they send the response, building on the hard work they’ve already done to ghost the target server, study usage and traffic patterns, create false accounts, and so on. In a series of slick maneuvers, the franchisee sends the check, the bad guys get it and go partying.
Here’s a breakdown of the process:
• The bad guys get access to the franchisee’s mail server and the accounting person’s email account
• They gain credentials to a bank business account with (maybe) a savings account that isn’t used much. This account holder is likely a shell company that serves as a front to launder funds — but it does have an ABA routing number.
• They set up and register a mail account that closely resembles the name of the big brand.
• With their access to the franchisee’s mail server, the bad guys intercept the inbound email with the invoice from the big brand. They download the invoice and delete the inbound message from the server.
• Within an hour, the bad guys send an email message to the accounts person at the franchisee, asking for payments to be made to the bank’s routing number and account number. The message looks very authentic — it’s got a digital signature and a signed copy of the outstanding invoice (which was
• The franchisee unwittingly pays the invoice according to the instructions — wiring the funds to the fraudulent bank account rather than sending a check, as was done before.
• Once the wire transfer reaches the shell bank account, the bad guys transfer the money a different bank account, which is probably just another stop on the money laundering trail. Eventually it’s extracted and enjoyed by the criminals, while the brand and the franchisee wonder what went wrong and who to blame.
If that sounds like a lot of setup for not much payoff, try this. The U.S. Department of Justice FBI reported in 2018 that losses from BEC scams worldwide exceeded $3 billion. And in the episode cited above — which is disguised but real — the bad guys likely spent no more than $1,500 to make $100,000.
Before launching an attack like this, the bad guys look for specific weak links, such as weak password controls to prevent password reuse or limit access to the mail server. By contrast, the brand had many process and audit controls in place, but no opportunity to detect the fraud perpetrated on the franchisee.
That’s why the criminals do the work: They gain access to a target’s mail account, create a domestic bank account (think of the supporting materials needed) and configure a mail server with domain names, certificates and accounts that can be used to masquerade both the brand’s and franchisee’s accounts people. It’s (relatively) cheap but time-consuming and meticulous.
On the flip side, mail servers don’t usually fall within the scope of cyber security standards like PCI DSS (Payment Card Industry Data Security Standard) or those set by NIST (the National Institute of Standards and Technology). Also, they’re infrequently tested and rarely hardened.
In other words, it’s up to the companies to protect themselves. Optimal security is only achieved when it’s fundamentally embedded into all aspects of the business rather than merely existing as a stand-alone function. It should cross boundaries in every sense: departments, devices, geographies, partners and customers.
In this case, the best way to ward off BEC (and other) attacks is to have clear and enforced security protocols around email at every step. For example, establish and implement a clear policy that email passwords must be changed every 90 days, and cannot be reused from other accounts. It’s also advisable to implement multifactor authentication for any remote email access by employees and system administrators. As for the accounting department in particular, develop and enforce audit procedures to validate any payment methods that are changed through non-electronic means (even if it just takes a phone call). Finally, companies with significant vendor or franchise relationships should consider secret codewords to help verify employees discussing financial matters.
This all sounds like common sense, and it is. But it’s the best way to guard against business email compromise, and that’s a vital responsibility.
Based in Las Vegas, Tom Arnold is co-founder, vice president and head of Forensics at Payment Software Co., part of NCC Group, and a CISSP, ISSMP, CFS, CISA , GCFE-Gold, GNFA, PCI/PA QSA, PCI 3DS QSA, PCI ASV, Visa card production SA,Visa PIN SA, PCI PFI. His current work involves security assessments on a variety of trans-global payment processors; over-the-air and traditional card production/ personalization companies; large multinational retailers; consumer financial institutions; and global payment card brands. Numerous national regulatory agencies, including the WTO, and the U.S. Senate banking subcommittee have consulted with him as an expert. He may be reached at firstname.lastname@example.org.