Business email compromise is an attack that targets customers or employees that work with your external-facing business associates. Here’s an overview of how it might work:
Customer A (we will call them Able for this scenario) falls for a phishing scam and their email credentials are compromised. The attackers snoop around Able’s email account and notice that they conduct business, including wire transfers and payments, with your company. The attackers use Able’s email account to send a request for a wire transfer or payment that doesn’t particularly stand out as unusual because it is similar to other requests you’ve received in the past. However, instead of using the bank account on file, they ask you to send the payment to a different bank account that’s not on file. The scammer may even proactively offer some kind of reason for this, such as “Our accounts are under audit right now, please send to the account below instead”.
Essentially, attackers in this scenario use a compromised email account to manipulate the trust between you and your customers. This can also happen in reverse. Your employee could fall for a phishing scam and then the attackers use his or her credentials to target your customers, hoping to initiate a fraudulent wire transfer in your company’s name.
The FBI has reported that as of May 2016, over 15,000 organizations have become victims of business email compromise scams losing a combined total over $1 billion dollars. These victims range from small businesses to large corporations in a wide array of business sectors.
Thankfully, this type of fraud can often be detected and stopped by having standard operating procedures (SOP’s) and processes in place that require your employees to verify transfer requests before initiating payment. In addition, you should never change bank account or address information for your customers or vendors via email; such changes should always require a follow up phone call at the very least for verification. Furthermore, enabling two-factor authentication for email where possible can mitigate the risk of unauthorized access to business email. As an added measure, it’s important to be aware of the information relating to your employees and your organization available on social media. Many attackers do their homework before attempting these types of scams; the more information that’s publicly available about your organization’s structure, the easier it is for them to plan and execute their attacks.
Brian Krebs has published a great article on the , value of a hacked email account which is worth reading, to get a better sense of why the data held by companies is a lucrative target and why email fraud is so common.