Business Email Compromise: The New Billion Dollar Problem

Just today, it was reported Austrian aircraft parts maker FACC AG lost €34M in an email scam. While €10.9 were recovered, the CFO and CEO were both fired earlier this year.

Donald ‘Mac’ McCarthy, from myNetWatchman, discussed business email compromise, or BEC. This is a form of social engineering attack that coerces people with financial authority to send money to external parties.

It’s the latest form of financial fraud that takes advantage of electronic finds transfers.

The threat actor uses information, such as executive email addresses that are available on public web sites. The actor takes the time to understand business relationships and then uses this information to send an email that begins the social engineering attack.

“You don’t have to be breached for your email credentials be out there,” says McCarthy.

They find ways to compromise email accounts and then use the entry point to understand relationships between executives and external parties such as banks.

The elegance of this compromise, from the attacker’s point of view, is that the hacker doesn’t actually access the funds directly. It is wire fraud by email.

McCarthy dissected one such attack that resulted in the partner of a Hollywood celebrity wiring $287,490.53 to a third party. The precision of the amount is interesting. McCarthy says the last few digits are often used as routing numbers by the criminals so they can move and track the money through “mules” - people who receive the funds and then disperse them to other accounts.

One of the weapons the fraudsters use is look-alike domains. For example, buy substituting the letters “r” and “n” for the letter “m” in a domain name, will often be missed by people looking at the domain name. Similarly, fraudsters use other domains that look similar to the expected domain name so they bypass detection. One technique is to simply add the letter “s” to the end of a domain name.

MITE - Man in the Email

By registering look-alike domains, fraudsters can insert themselves into email communications. Once they access someone’s email account, they insert a rule to direct email to an external address that looks very similar to the correct address. They then use that information to understand relationships and processes in the target to launch their fraud.

Intercepted emails are sent through to the legitimate address so the victim is completely unaware that someone has been intercepting and reading their email.

Similar techniques can be to create false customer accounts which are then used for credit notes or other financial transfer.

Tough to detect

Unlike malware attacks, which are machine generated, BEC messages are hand-crafted by the threat actor. This makes it harder for automated systems to detect them.

McCarthy says over 42,000 actors are actively executing BEC attacks with about 40% coming from west Africa.

Many of the actors are very brazen, posting photos of themselves on social media with large wads of cash. McCarthy says they are all male and work together.

BEC is a $3B problem globally, with over $1B of losses reported in the US - although McCarthy speculates that the issue is larger than reported as smaller companies are not obligated to report breaches.

Mules are often recruited, sometimes unwittingly, through dating sites. They receive the initial leak of funds and then pass them on to other parties. And pre-paid credit cards are sometimes used to capture the funds.


Financial institutions are liable for losses as the customer actually transfers the money. However, some banks are getting better detecting unusual transfers and it’s important for employees to know what countries you routinely send many to so unusual transfers are detected before they happen.

Also, all email requests need to validated off-band, for example via a phone call.

McCarthy also noted domain names need to be checked against the Levenshtein calculation which highlights domains where letter substitutions are used to send an email with a domain that looks similar to yours.

“This is not a technical problem,” says McCarthy. “It’s a business process. If you structure your process well, this won’t be a threat”.

Tags credentialsattackersemail scamsAusCERT conferencebusiness email compromiseAusCERT2016MITEmyNetwatchman

Show Comments