Traditional business email compromise (BEC) scams involve a fraudster emailing a CFO or equivalent member of an organization, pretending to be the CEO or another high-ranking official of the company. The aim of this type of scam is to trick the recipient into carrying out a large and “urgent” wire transfer (for more details on traditional BEC scams, read our previous blog).
Over the past two weeks, however, BEC fraudsters have included a new element to some of their requests. In this version of the scam, the fraudster again pretends to be a member of senior management, but this time targets a more junior member of the accounting or human resources department. The email requests that the victim send on all employee W2 forms for inspection. With these documents, which contain tax and wage information for employees, the criminals would have everything they need to perform tax refund fraud; effectively stealing tax refunds owed to workers.
Figure 1. Example of a BEC fraud email attempting to trick recipient into handing over W2 documents
Symantec telemetry shows that one of the most prolific attackers behind these scams began sending W2-related emails to victims on the February 26, as can be seen in Figure 2.
Figure 2. Number of traditional and W2 variant BEC scam emails sent by fraudster group
This particular group send emails from what appear to be stolen email accounts and spoof the sender to match the victim domain. A “Reply-to” header is set in the email so that when a victim replies, the reply goes to an account under the attackers’ control, and not to the spoofed sender address. In the past 12 days, this group has used at least eight stolen domains for sending emails and 11 email accounts from free email services to receive replies. The group has sent at least 663 emails to victims.
Typically, for BEC wire fraud, the group use email subjects that are a variant on the current date, for example:
- Subject: Request for 18th February,2016
- Subject: Transfer Request 26 February 2016
For W2 fraud, the email subjects are similar:
- Subject: Request For All Employees W2s
- Subject: Request For All Employees W2s, Monday 29th February, 2016
The group appears to operate 24 hours a day. It's likely that there are several individuals involved sharing resources, such as the stolen email accounts; however, most emails are sent around morning time, GMT, as can be seen in Figure 3.
Figure 3. Emails sent by the group, per hour (GMT)
This group is just one among many performing this type of BEC attacks, but it is one of the most prolific.
Defending against BEC attacks requires a multi-layered approach consisting of email scanning services, such as Symantec Email Security.Cloud, employee education, and the implementation of rigorous processes governing the transfer of money, or dissemination of employee information.
In addition, employees should bear the following in mind:
- Question any emails requesting actions that seem unusual or aren’t following normal procedures.
- Do not reply to any emails that seem suspicious. Obtain the sender’s address from the corporate address book and ask them about the message.
- Use two-factor authentication for initiating wire transfers.
The FBI have documented additional steps to help businesses protect themselves against these types of attacks.