Symantec has been continuously tracking scam emails targeting businesses with fake wire transfer requests, and found that scammers behind these Business Email Compromise (BEC) emails have added some tricks to increase their chances of success. In particular, they now try to engage victims in an email exchange to gradually build trust, instead of sending emails with wire transfer and/or payment instructions at the outset.
BEC scam emails, although seen in various less sophisticated forms earlier, have in the past two years undergone an evolution in its modus operandi, from its distribution method to the skill with which the scammers manipulate their targets and victims.
A new harpoon for whaling
Unlike earlier forms of mass-mailed scams, BEC emails are highly targeted and are carried out by scammers very familiar with the finance workflow in small businesses to large enterprises. This type of scam, also called CEO fraud, falls under the category of “whaling,” because scammers send spear-phishing emails to senior, usually C-level, executives. The scammer, often posing as the CFO or CEO of that organization, makes a thorough study of the targeted organization before emailing someone in the finance department who can clear the transfer of a large sum of money. Symantec researchers have explained this modus operandi in detail in a previous blog, as well as found that 400 businesses are hit by BEC scams daily. The FBI has also quantified the impact of BEC scam in its latest Public Service Announcement.
To better draw out a response from recipients, BEC scammers now use informal and familiar language such as “hi, are you in office today?” and then gradually build the plot with further emails to establish rapport with the victims and invite their trust. The scammers do not reveal the account information or other details for the transfer until they are reasonably convinced that the victim will comply.
BEC in action
To illustrate how a BEC scam progresses, a back and forth communication between the scammer and the potential victim is shown below, but with names and details removed.
Figure 1. Spammer starts with an availability inquiry before gradually moving on to the wire transfer request
The scammer starts off with one-liner emails saying “are you at your desk?” or “please respond if you are available in office today,” and tells the victim about the wire transfer only after receiving a response. Depending on the response received, the scammer would then ask what information is required to make the transfer.
Figure 2. Scammer probing the victim to understand how the payment process works internally
The scammer sends further probing emails to understand how payments are handled and informs the victim that the payment is to be made to a private account. The scammer would also promise to send an invoice for the payment at the earliest, and insist that the victim make the transfer immediately.
Figure 3. Scammer supplying the account details for the payment
The scammer reassures the victim that they would send the invoice required shortly, then asks the victim to complete the transfer immediately and send a confirmation once the transfer is done. The scammer encourages the transfer through any payment channel available.
Figure 4. Scammer insists on altering the payment in any way which will not require any document upfront
BEC scams usually involve large sums of money—in this case, US$20,987.56 was initially requested. However, when the victim responded that any amount above $10,000 would involve some documents upfront, the spammer went to suggest that the payment be broken into amounts that would pass without any document being produced.
BEC emails, which were previously mostly direct requests for wire transfers, are now incorporating complex social engineering techniques such as the one outlined above. In June, email security researchers came across 20% of BEC emails inquiring about the recipient’s availability and 80% of BEC emails directly requesting a wire transfer. It is a different story in October, where 60% of the emails now inquire about the recipient’s availability, while 40% request a wire transfer.
User education plays an important role in thwarting email scam attempts. Symantec advises users to adhere to the following best practices to avoid falling victim to BEC scams:
- Be suspicious of emails that demand some action without following usual procedures.
- Draft a reply with the requestor’s email obtained directly from the corporate address book, instead of simply hitting the Reply button, to ensure that the scammer is pushed out of the reply thread.
- Do not reply to suspicious emails and do not give out sensitive information.
- Report the suspicious or obviously bogus emails to the proper authorities.
- Report to the financial authorities and law enforcement agencies if you suspect that you have been a victim of BEC fraud. Businesses should take efforts to educate employees about such scams and how to mitigate such incidents.