September 10, 2019, the US Department of Justice reports that a global law enforcement effort resulted in the arrest of 281 suspects who were believed to be involved in a series of business email compromise scams that has now totaled losses in excess of 26 billion dollars world-wide.

The majority of the arrests, totalling 167, occurred in Nigeria. Nigeria has been the epicentre of a host of scams including bogus lotteries, romance scams and inheritance schemes. The remainder of the individuals were operating out of the U.S., Turkey, Ghana and other various countries located across Europe, Asia and Africa.

In parallel, the FBI’s Internet Crime Complaint Center (IC3) announced that Operation reWired, a four-month ongoing investigation, had determined that losses and thefts from Business Email Compromise (BEC) scams increased by over 100% over the past 14-month period. The IC3 has also identified a new type of payroll diversion scheme, which has also been tied to the same individuals.

Background: Business Email Compromise

Business Email Compromise schemes can take on a wide variety of forms, however, they generally involve fooling an organization’s employees into transferring money into fraudulent bank accounts.

After gaining access to an organization’s email accounts, BEC actors will carefully analyze and study how money moves in an out of the company; this includes both invoicing and payments. In some instances, this involves manipulating invoices so the malicious actors bank account information is listed in place of legitimate ones. Typically, their activity goes unnoticed until it’s too late and the transaction has already taken place.

Payroll Diversion Schemes

Payroll Diversion is nothing new. In fact, it’s been a problem within organizations for a long time. The scam itself has been executed on the victim’s side by gaining access to an employee’s user account. From here, the fraudster will then use their credentials to log into the legitimate payroll site and edit the account number where their direct deposit is received. To complete the scam, they will often turn off any emails or notifications sent out to the employee to delay/prevent the employee from catching wind of what has happened for as long as possible.

Two Routes of Deception

Typically, through phishing emails and social engineering, threat actors will encourage a user to disclose their credentials. They do this by sending an email that appears to be from a legitimate source, potentially HR or IT, for example; from there, they will proceed to persuade the user to disclose sensitive information. Predictably, this is usually done by including a link that will appear to take the user to a workplace website to fill in personal information, however; the website is a fake and the information provided lands right in the hands of malicious actors.

Alternatively, another variant of the BEC attack is aimed at HR or finance departments. HR employees often handle payroll and benefits for many organizations. In this strategic ruse, the attacker creates an email account that is made to impersonate another individual, the victim, who then contacts payroll (via HR or Finance Dept.) requesting to change their bank information for their direct deposits.

The exact dollar value of direct deposit change requests has increased over 815% between January 1, 2018 and June 30, 2019 as there were very few reported complaints prior to this time period, according to the IC3. Thus, increase is partially due to the fact that more awareness of the scams has resulted in more reports being filed with law enforcement. Still, between June 2016 and July, the total exposed global dollar loss amount resulting from BEC scams, including both stolen funds and attempts, rose to 26.2 billion, world-wide.

Keeping Your Organization Protected

Based on the scenarios itemized above, it should be apparent that BEC scams rely heavily on phishing schemes, social engineering and lack of attention to details, including failing to recognize a fake domain.

Fortunately, there are some simple ways to counter the commonly used techniques that BEC actors rely on, much of which involve double checking account change requests, confirmation phone calls using only pre-approved calling lists, and having a keen awareness for “spoofed emails.” In addition to these, below are some of the latest suggestions from the IC3:

IC3 Suggestions for Protection:

Employees should be educated about and alert to this scheme. Training should include preventative strategies and reactive measures in case they are victimized. Among other steps, employees should be advised to:

  • Use secondary channels or two-factor authentication to verify requests for changes in account information.
  • Ensure the URL in emails is associated with the business it claims to be from.
  • Be alert to hyperlinks that may contain misspellings of the actual domain name.
  • Refrain from supplying login credentials or PII in response to any emails.
  • Monitor their personal financial accounts on a regular basis for irregularities, such as missed deposits.
  • Keep all software patches on and all systems updated.
  • Verify the email address used to send emails, especially when using a mobile of handheld device by ensuring the senders address email address appears to match who it is coming from.
  • Ensure the settings the employees’ computer are enabled to allow full email extensions to be viewed.

For more information on anything you read here, or advise on how to keep your organization safe from these threats, please contact us for a free consult!