by Bharat Mistry
This week the FBI announced a major international law enforcement operation spanning six months which resulted in scores of arrests and serious disruption to several Business Email Compromise (BEC) campaigns. At Trend Micro we welcome any efforts designed to make it harder for the black hats to make money from their illicit schemes. But we can’t rely on law enforcement alone.
Organisations must also get proactive by improving staff training and education and ensuring they have the kind of email protection capabilities which can spot and block BEC scams.
The FBI hits back
Operation WireWire saw police in Canada, Mauritius, Indonesia, Poland and Malaysia join forces to arrest 74 suspects, including 42 in the US. The FBI partnered with the Department of Homeland Security, the Department of the Treasury and the US Postal Inspection Service in a six-month operation which began in January. It led to the seizure of almost $2.4m and the “disruption and recovery” of $14m in fraudulent bank transfers.
It’s great to see police hitting back against an agile, sophisticated and well-resourced enemy. The more often law enforcers can disrupt these campaigns and seize funds the more chance we have of proving that crime doesn’t pay.
The BEC epidemic
The BEC epidemic is spreading across the globe, just as ransomware did before it. Why? Primarily because the potential rewards on offer are much higher than for other threats. The FBI claimed in its IC3 report for 2017 that BEC incurred the highest losses of any threat category: over $676m last year. That’s three times more than the second-placed “confidence/romance fraud” and way more than the $27.9m ascribed to phishing attacks.
This might explain why we’ve started to see ransomware threats decline but BEC attacks soar in recent months. Between 2016 and 2017 ransomware-related threats fell from over one billion to 631 million. By contrast, recorded BEC attempts in 2017 jumped 106% from the first half of the year to the second half. Although they only hit 6,533 by 2H 2017, the pay-out is much greater per attack.
What you can do
Part of the problem with spotting BEC attacks is that they usually don’t contain any form of malware to detect, and so fly under the radar of traditional defences. Typically, they involve an urgent request sent to a member of the finance team from a domain spoofed to appear as if emailed from the CEO. It demands funds be sent ASAP to an external account. Sometimes the attacker has compromised the account of the person purported to be sending the email, making it doubly difficult to tell if it’s a fake. Other scams can impersonate third-party supplier companies.
All of which requires a multi-layered strategy to mitigate the BEC threat:
- Educate employees to scrutinise emails requesting money transfers. Trend Micro offers a free phishing simulation and user trainingservice which can help improve awareness.
- Ensure business processes require secondary sign-off for any large transfers outside the organisation, especially if payment details for suppliers have changed.
- Consider investing in advanced email security to spot scams. Trend Micro’s new Writing Style DNA is an AI-powered feature which learns how executives write so that it can spot attempts to impersonate them. It then sends a warning to the implied sender, the recipient and the IT department.
By making your people, processes and technology smarter, you can insulate your organisation from BEC attacks whilst global police do their best to disrupt the scammers themselves.