Roundup of Business Email Compromise (BEC) Scams in 2020 and 2019

A tiny Florida city. Japan’s largest media conglomerate. A national museum in the Netherlands. A host of cable TV’s “Shark Tank.” They’re all victims of Business Email Compromise (BEC) attacks who suffered real losses from this type of email fraud. These attacks prey on human nature and have become bigger, more brazen, and more costly than ever. Falling for one is easier than you might think. The good news is that Proofpoint has a layered approach to keep your email accounts and data safe.

Roundup of Business Email Compromise (BEC) Scams on 2020 and 2019
Roundup of Business Email Compromise (BEC) Scams in 2020 and 2019

Read on this article for a roundup of the most high-profile (and low-minded) BEC and EAC attacks of the last 12 months to learn:

  • What these attacks have in common
  • How these attacks work
  • Who’s vulnerable

Content Summary

Introduction
‘Shark Tank’s’ Barbara Corcoran
Puerto Rico
Nikkei
Red Kite Community Housing
Jewish temple and synagogue congregants
Manor Independent School District
Toyota Boshoku
Cabarrus County, N.C.
Ocala, Florida
Rijksmuseum Twenthe
Conclusion and Recommendations

Falling for an impostor’s email is easier than you might think. That’s because business email compromise (BEC) attacks prey on human nature, the innate psychological traits shared by everyone. Here’s a roundup of the most high-profile (and low-minded) BEC and EAC attacks of the last 12 months.

Introduction

It’s not hard to see why BEC works. Requests from the appropriate person, requests for wire transfers, or sensitive employee information may be part of a normal workday. But when those requests come from someone else, it can be a costly case of mistaken identity.

The trouble is, telling the difference between authentic emails and an impostor’s scam is not always easy.

That’s because BEC attacks exploit the very qualities that make people who they are and keep society and business humming along. BEC scammers take advantage of human psychology and business processes to trick your users into wiring money, rerouting paycheck and payments, sending sensitive information, and more.

Email account compromise (EAC) is a close relative of BEC. But instead of merely trying to impersonate someone the user trusts with a lookalike account, EAC attackers hijack the trusted person’s actual account.

It’s no wonder BEC scams have stolen billions of dollars from victims already—and the pace is accelerating. Here are some of the biggest, boldest, and most brazen scams reported in recent months.

‘Shark Tank’s’ Barbara Corcoran

ABC-TV describes the stars of its hit show “Shark Tank” as “tough, self-made, multi-millionaire and billionaire tycoons.” But that doesn’t mean they can’t be duped.

Barbara Corcoran, one of the judges on the show who decides whether to invest in the dreams of various entrepreneurs, was robbed of close to $400,000 by a BEC scam in February.

Corcoran, who made her millions as a real estate broker, admitted in late February of 2020 that her bookkeeper wired money to someone posing as Corcoran’s assistant, ostensibly to pay for a real estate renovation. After the money was sent, Corcoran realized that the email address was not that of her assistant; it was one letter off from the real address.

“There was no reason to be suspicious, as I invest in a lot of real estates,” Corcoran told People magazine. Corcoran’s IT staff later traced the attack to a Chinese IP address.

The money has since been returned. The transfer had been routed through a German bank on its way to the scammer’s Chinese account. Corcoran’s bank pressed the German bank to freeze the money, giving her time to prove it was a fraud.

That an email message seems to be routine—and, therefore, not suspicious—is one of the central design features of BEC.

Puerto Rico

Puerto Rico has suffered several setbacks of late, including hurricanes, a government debt crisis, a recession—and now, BEC attacks.

Puerto Rico lost more than $4 million in three separate BEC attacks on government agencies in January. The scam began when someone compromised the computer of a finance worker at Puerto Rico’s Employment Retirement System about a month earlier. Using the worker’s account, the attacker then sent emails to the worker’s colleagues in other agencies. The email instructed recipients to change the banking account number tied to remittance payments.

This BEC-style attack is technically an example of an email account compromise (EAC). In this case, the attacker isn’t just trying to make their email address seem legitimate—they’re using a legitimate account.

The largest theft targeted Puerto Rico’s Industrial Development Company, a government-owned corporation investing in economic development on the island. It resulted in a loss of $2.6 million in government funds. The Puerto Rican Tourism Company was also taken for $1.5 million, while the territory’s Commerce and Export Company lost $63,000.

Like most BEC attacks, Puerto Rico’s vulnerability was a human one.

“Where the government failed greatly was in the procedures, not the technology,” said José Quiñones, president of Obsidian Consortia, a nonprofit cybersecurity organization in Puerto Rico, to the AP.

Nikkei

Japanese media giant Nikkei isn’t the stereotypical victim of financial fraud.

It’s one of Japan’s biggest media conglomerates, the owner of London’s Financial Times, and its namesake stock index on the Tokyo Stock Exchange.

That sheer size and financial heft made it an especially lucrative target of scammers. In September 2019, an employee of its U.S. subsidiary, Nikkei America, transferred $29 million based on instructions from an email that appeared to be from an executive at the parent company.

Unfortunately, the email was from someone merely posing as the executive. (Some reports suggested that the attacker may have taken over the executive’s account, which would make it an EAC attack. The media company and authorities have provided few details publicly.)

Nikkei officials said the media giant would try to recover the money. It’s not clear how successful it has been.

Red Kite Community Housing

People who have trouble paying for housing in High Wycombe, a British city outside of London, can turn to Red Kite Community Housing. The charitable housing nonprofit owns and manages more than 6,500 homes in the Wycombe area, which it rents out at below-market rates to the poor.

Unfortunately, Red Kite suffered a financial setback of its own when it was hit by BEC in August 2019. Attackers stole £932,000 or $1.2 million in U.S. dollars.

According to news reports, cyber attackers impersonated one of Red Kite’s suppliers by registering a lookalike domain. Using the fake domain, which closely resembled that of the real vendor, the attackers tricked the recipient into wiring money to the attacker’s bank account. The email included a fictitious email history in the message body to make it appear to be part of a longrunning conversation between Red Kite executives and the vendor.

Red Kite’s security included two-factor authentication to verify changes to payments and accounts, a Red Kite spokesperson told the tech news website of Scotland-based Digit.

Red Kite says its systems were never compromised. The weak spot: human error. The Red Kite worker was fooled by the email and didn’t follow normal procedures.

“It is this single point of failure that we have addressed in our internal review of learning and changes required that feature in an action,” the association says.

Red Kite reported the breach to its tenants (who did not bear the cost of the theft), local police, an outside cyber-forensics firm, and a local agency that regulates Social Housing.

The nonprofit has since upgraded its security posture, completed an audit and review of its payment processes and systems, and put additional security measures in place, including staff training.

Jewish temple and synagogue congregants

One of the core elements of BEC is that, to the recipient, the sender of the email appears to be someone they know, trust, and respect. That’s typically a colleague, business partner or boss. To many Jewish people in the U.S., a trusted authority figure could also include the rabbi at their temple or synagogue.

In a new spin on the long-running gift card scheme, an attacker or group of attackers targeted worshippers in metropolitan Detroit, the San Francisco Bay Area, Idaho, Tennessee, and other congregations across the country. Pretending to be the local rabbi, the attackers asked recipients to buy gift cards, usually as part of a purported fundraiser.

Three members of a synagogue in Virginia responded to emails they thought were from their rabbi by buying a collective $2,500 worth of gift cards. So far, two of the three have been able to get the gift cards canceled and their money returned.

In Idaho, a woman nearly lost $400 in gift cards to the scam. Luckily, just as she was about to take pictures of the cards, along with the account number and PIN, to send to the “rabbi’s” email address, a cashier realized what she was doing and stopped her.

“This great scam works precisely because congregants trust their clergy,” said Rabbi Debra Newman Kamin, president of the Rabbinical Assembly, the Conservative movement’s professional organization of rabbis.

While the FBI and the Federal Trade Commission have warned the public about gift card schemes in general, the rash of such schemes targeting Jewish congregations has prompted a response from the Secure Community Network (SCN), the national homeland security initiative of the North American Jewish community.

SCN reported that in 2019, 53% of organizations surveyed—including all sorts of businesses, local governments, and religious groups—reported a cyber attack. That’s up from just 38% the year before.

Manor Independent School District

A rash of cyberattacks in recent months has targeted small U.S. cities, local agencies, and school districts. Attackers might assume that smaller, sometimes cash-strapped local agencies have less money for cybersecurity than larger jurisdictions or the private sector. In many cases, they’re right.

But that’s only part of the story. At large and small organizations alike, people are usually the weakest security link.

Case in point: Manor Independent School District outside of Austin, Texas. The district of 9,600 students was scammed out of $2.3 million in a BEC email attack in November 2019.

The scammer emailed several district employees over several months starting in November 2019, changing the payment instructions for a vendor. Just one worker fell for the email, but the damage was done. The scammers pulled off three separate transactions before someone noticed something amiss.

The district expects to recover $800,000 of the lost funds to an insurance policy, leaving it with a $1.5 million net loss.

Toyota Boshoku

BEC attacker’s target organizations are large and small. One of the biggest victims and payouts in recent months was the Toyota Boshoku. The Toyota subsidiary, which supplies seats and other interior components, was swindled out of $37 million in August 2019.

The attack was textbook BEC, according to news reports. Someone posing as a business partner sent emails to people in the company’s finance and accounting department, requesting payment into an attacker’s account.

The company says it became aware of the fraud quickly, reported it to authorities, and is working to recover the money.

The $37 million attacks illustrate how social engineering can bypass even the most well-funded cyber defenses because they target people, not infrastructure.

Cabarrus County, N.C.

Cabarrus County, N.C., proudly announced plans to build a new $2.5 million high school, West Cabarrus High, in late 2018. BEC scammers were paying attention.

During construction in November, the school district got an email that appeared to be from the general contractor hired to build the school. It included new electronic funds transfer (EFT) account details for paying the contractor along with signed authorizations and other documentation. A few weeks later, the district wired payment to the new account as instructed.

Nothing seemed amiss until January. That’s when officials received a missed payment notice from the contractor.

School officials quickly realized that everything in the email—the account details, documents, and signatures—was fake. The district managed to recover $776,518.40. The remaining $1,728,082.60 was gone, diverted, and laundered through a network of secondary bank accounts.

The Cabarrus County Board of Commissioners kept construction on track by transferring the missing money out of a special fund set up “for extraordinary circumstances.”

The most recent update from the county: “The investigation continues.”

Ocala, Florida

Cybersecurity watchers can add little Ocala, Florida — a population not quite 60,000—to the list of small towns across America that have been hit by cybercriminals.

In September of 2019, the city was swindled out of more than $740,000 in a BEC attack that cashed in on a nearby airport terminal under construction.

Like most BEC attacks, this one started with an email to the city’s senior accounting specialist, purportedly from an accountant at a construction firm working on the project.

The message included a city form requesting a change to the firm’s banking information. The form included a routing and account number for the new account and—for an extra dash of verisimilitude—a copy of a voided check from the account.

The city realized it had been scammed only after the real construction firm sent an invoice on Oct. 17. The city paid it the next day—but to the scammer’s account. A few days later, the construction firm told the city it hadn’t received the money.

The city employee who authorized the transfer left the job soon after the scam came to light. But almost anyone could have fallen for it.

The email used the name of a former employee of the construction firm and a lookalike email domain that was just one letter off—an extra “s”—from the real domain. Another Florida municipality, City of Naples, lost $700,000 to a similar BEC attack the previous August.

Ocala officials filed an insurance claim to recoup some of the money, and a criminal investigation remains ongoing.

Rijksmuseum Twenthe

Cybercriminals set their sights on big payoffs when they scam banks, corporations, government agencies, and other targets to steal money through BEC and EAC schemes. So it should be no surprise when they set their crosshairs on art dealers and museums, which trade in highly valued masterpieces.

Rijksmuseum Twenthe, a national museum in Enschede, Netherlands, lost $3.1 million to an EAC scammer posing as a well-known London art dealer. The museum had been negotiating over email for months with the dealer to buy the 1824 painting “A View of Hampstead Heath: Child’s Hill, Harrow in the Distance” by English landscape painter John Constable.

Somewhere along the way, a scammer either hijacked the dealer’s email account or created a convincing lookalike—the details are the subject of an ongoing lawsuit—and waited for the sale to close. The dealer shipped the painting. But when it came time to send the payment, the museum wired the money to an account in Hong Kong—not the sellers. The scammer had “updated” payment details in an earlier email.

The museum issuing the dealer, claiming the dealer was negligent in not noticing or intervening when the scammer compromised his account. The dealer is countersuing, saying the museum should have double-checked banking details before sending payment.

For now, the museum is holding the painting while litigation continues.

Conclusion and Recommendations

As these cases show, BEC and EAC are equal-opportunity scammers. They target organizations of every size and people at every rung of the corporate ladder.

BEC and EAC are difficult to detect and prevent, especially with legacy tools, point products, and native cloud platform defenses. They don’t use malware or malicious URLs that can be analyzed with standard cyber defenses.

Fortunately, it’s never too late—or too early—to start developing a strong defense strategy for BEC/EAC. Because these attacks focus on human frailty rather than technical vulnerabilities, they require a people-centric defense that can prevent, detect, and respond to a wide range of BEC and EAC techniques.

Source: proofpoint