Business Email Compromise: The New Billion Dollar Problem

Just today, it was reported Austrian aircraft parts maker FACC AG lost €34M in an email scam. While €10.9 were recovered, the CFO and CEO were both fired earlier this year.

Donald ‘Mac’ McCarthy, from myNetWatchman, discussed business email compromise, or BEC. This is a form of social engineering attack that coerces people with financial authority to send money to external parties.

It’s the latest form of financial fraud that takes advantage of electronic finds transfers.

The threat actor uses information, such as executive email addresses that are available on public web sites. The actor takes the time to understand business relationships and then uses this information to send an email that begins the social engineering attack.

“You don’t have to be breached for your email credentials be out there,” says McCarthy.

They find ways to compromise email accounts and then use the entry point to understand relationships between executives and external parties such as banks.

The elegance of this compromise, from the attacker’s point of view, is that the hacker doesn’t actually access the funds directly. It is wire fraud by email.

McCarthy dissected one such attack that resulted in the partner of a Hollywood celebrity wiring $287,490.53 to a third party. The precision of the amount is interesting. McCarthy says the last few digits are often used as routing numbers by the criminals so they can move and track the money through “mules” - people who receive the funds and then disperse them to other accounts.

One of the weapons the fraudsters use is look-alike domains. For example, buy substituting the letters “r” and “n” for the letter “m” in a domain name, will often be missed by people looking at the domain name. Similarly, fraudsters use other domains that look similar to the expected domain name so they bypass detection. One technique is to simply add the letter “s” to the end of a domain name.

MITE - Man in the Email

By registering look-alike domains, fraudsters can insert themselves into email communications. Once they access someone’s email account, they insert a rule to direct email to an external address that looks very similar to the correct address. They then use that information to understand relationships and processes in the target to launch their fraud.

Intercepted emails are sent through to the legitimate address so the victim is completely unaware that someone has been intercepting and reading their email.

Similar techniques can be to create false customer accounts which are then used for credit notes or other financial transfer.

Tough to detect

Unlike malware attacks, which are machine generated, BEC messages are hand-crafted by the threat actor. This makes it harder for automated systems to detect them.

McCarthy says over 42,000 actors are actively executing BEC attacks with about 40% coming from west Africa.

Many of the actors are very brazen, posting photos of themselves on social media with large wads of cash. McCarthy says they are all male and work together.

BEC is a $3B problem globally, with over $1B of losses reported in the US - although McCarthy speculates that the issue is larger than reported as smaller companies are not obligated to report breaches.

Mules are often recruited, sometimes unwittingly, through dating sites. They receive the initial leak of funds and then pass them on to other parties. And pre-paid credit cards are sometimes used to capture the funds.


Financial institutions are liable for losses as the customer actually transfers the money. However, some banks are getting better detecting unusual transfers and it’s important for employees to know what countries you routinely send many to so unusual transfers are detected before they happen.

Also, all email requests need to validated off-band, for example via a phone call.

McCarthy also noted domain names need to be checked against the Levenshtein calculation which highlights domains where letter substitutions are used to send an email with a domain that looks similar to yours.

“This is not a technical problem,” says McCarthy. “It’s a business process. If you structure your process well, this won’t be a threat”.

Join the CSO newsletter!

Error: Please check your email address.

Tags email scamshackerscredentialsmyNetwatchmanattackersAusCERT2016business email compromisedata protectionMITEAusCERT conference

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place