Scammers are continuing to target senior financial staff at medium and large corporations, attempting to trick them into carrying out large wire transfer payments. The FBI recently warned organizations of this activity and Symantec Email Security.cloud has observed that these email campaigns are still ongoing.
Going for the big phish
The premise of these campaigns is simple but effective: scammers craft an email, purporting to be from the targeted organization’s CEO, asking the recipient to carry out an urgent wire transfer.
These business email compromise (BEC) scams are also referred to as “whaling” because they send spear-phishing emails to senior (usually C-level) employees. In the majority of emails which Symantec has observed, the attackers send the message to the chief financial officer (CFO).
The scammers send the first email, asking the CFO if they can carry out an urgent wire transfer. If the recipient responds, the attackers send a follow-up email with the necessary details for the wire transfer. If there’s no response, the scammers may send a second email to the CFO or they may try to target another member of the finance organization. Information about these individuals can be easily gleaned from LinkedIn.
Figure 1. Scam email claiming to come from CEO asks target to initiate a wire transfer
A more recent version of the scam uses a lengthier email which describes how a payment must be made to facilitate an acquisition. The sender then claims that an attorney will be in contact with payment instructions.
Figure 2. Scam email asks employee to initiate wire transfer for unannounced acquisition
Crafting the email
BEC emails typically have the same format. In all cases, we’ve observed that the email poses as a message from the targeted company’s CEO. This is done using one of the following methods:
- Compromising the CEO’s email account
- Spoofing the CEO’s email address
- Using a form of typo-squatting where the email address uses a domain which resembles the targeted company’s actual domain (e.g. myydomain.com vs mydomain.com). As we discussed previously, these domains are often registered on the same day that the email is sent.
The scammers then use a few simple tricks to try and avoid arousing suspicion. The emails often state how the CEO is traveling or is in a meeting and can’t accept phone calls. Many of the emails have “sent from my iPad” appended, which could be included to reinforce that the sender is on the road or excuse the poor English in the message.
Figure 3. “Sent from my Ipad” addition may be used to excuse poor English
Looking for the big win
BEC attackers target senior-level employees rather than consumers as it’s easier to scam them out of large amounts. Older 419-type scams typically request smaller amounts of money, but cast their net wider. With BEC, the emails are more targeted but the requested transfer amounts are much larger. In one incident, we observed the scammers asking the target to transfer over US$370,000.
Figure 4. Scammers ask target to transfer more than $370,000
By requesting large amounts of money, the scammers only need to be successful a couple of times to make a profit. The FBI estimates that the amount lost to BEC between October 2013 and August 2015 was over $1.2 billion. With such huge returns, it’s unlikely that these scams will cease any time soon.
User education is the most effective means of protecting companies against BEC scams:
- Question any emails requesting actions that seem unusual or aren’t following normal procedures
- Users shouldn’t reply to any emails that seem suspicious. Obtain the sender’s address from the corporate address book and ask them about the message
- Use two-factor authentication for initiating wire transfers
The FBI provided further advice in their warnings about BEC scams.
If you believe you have been a victim of BEC fraud, notify your financial institution and local law enforcement authority as soon as possible.