Email fraud business email compromise (BEC) invoice fraud

Main article: Phishing

How the scheme works

Compromise of a corporate e-mail (English business email compromise or invoice fraud) is a fraud in which a criminal poses as a seller or business partner and convinces a company representative to transfer a large amount to an offshore account as "payment" for services that he has never provided. Usually, a fraudster carefully studies the interaction between two partners and the methods of payment for services used. The fraudster then breaks into the email mailbox of one of the partners or convincingly fakes a corporate e-mail to send an account or request for a bank transfer for the services provided.

Unfortunately, during the development of major email protocols, the cost of computing power, implementation, and ease of use were balanced against the risk of fraud. Initially, no way was developed to verify the identity of the sender, and as a result, it turned out that letter headers are very easy to fake. Often, companies do not understand that they have been the victim of fraud, and transfer funds to criminals.

Email compromise is targeted attacks based on social engineering techniques by which hackers force people to transfer money to their accounts

Most cyberattacks harm a company's reputation or undermine its competitiveness. Confidential information about the client or secret business plans can enter the public network, but this type of cyber attack usually does not cause direct financial damage. The compromise of corporate e-mail, on the contrary, leads to an immediate and often irreparable loss of funds.

Most of the defrauded companies are left without help - banks are not able to track this type of fraud, since the owners transfer money on their own. Many people give fraudsters a down payment on a mortgage, and small businesses mistakenly transfer a huge share of their meager funds to criminals. Sometimes the damage done turns out to be so great that entrepreneurs leave the business forever.

Domain-based Message Authentication, Reporting, and Conformance (DMARC)

A key technology known as Domain-based Message Authentication, Reporting, and Conformance, or DMARC, significantly reduces the ability of attackers to fake target domains and enterprise managers by checking the path from the send server to the recipient's mailbox. In addition, this technology allows organization email administrators to gain insight into how e-mail domain abuse occurs.

Main article: Domain-based Message Authentication, Reporting and Conformance

2023: Two-thirds of emails sent to companies in Russia by fraudsters

Two-thirds (68%) of emails are sent to companies in Russia by scammers. Such data according to the results of 2023 in January 2024 was published by the information security company Bi.Zone.

As Vedomosti writes with reference to this study, the share of phishing emails in 2023 increased by 70% compared to 2022. Every 137th letter in corporate mail turned out to be phishing.

Two-thirds (68%) of emails to companies in Russia are sent by scammers

MTS Red Soc confirmed the trend and reported that, according to the company, the growth in the number of phishing emails in 2023 amounted to about 57%, to 15 million messages. In 2022, there were 9.5 million of them. The peak of such mailings in 2023 was in May, June and December, said the representative of the Solar Group of Companies in a conversation with the publication.

As noted in Bi.Zone, attackers constantly use email as the main method of gaining initial access. In 2023, cybercriminals first used Russian remote access programs, while email became the distribution channel for such software.

Compared to 2022, the share of emails with malicious investments increased 2.4 times. The industrial sector has become the absolute leader: in this area, the percentage of letters with viruses is almost 6 times higher than the average. Hackers most often used malicious software (HPE) distributed using the MaaS model (malware-as-a-service, malware as a service). Its traces are found in more than 80% of malicious traffic arriving at corporate mail servers in 2023. This HVE is often acquired on shadow forums by attackers who do not have enough qualifications for self-development. This lowers the entry threshold for attacks.

The proportion of attacks in which an attacker pretends to be a trusted source decreased by 1.5 times in 2023. Bi.Zone experts note that cybercriminals have shifted their focus: more often spam and ads (including those with obscene content) are sent through hacked legitimate accounts.^[1]

2021: Phishing attacks hit IKEA through hacked Microsoft Exchange servers

At the end of November 2021, phishing attacks through hacked Microsoft Exchange servers hit IKEA. Attackers send malicious emails to the retailer's subsidiaries, as well as its partners. Read more here.

2020

T Plus partners are invited to fake public procurement using e-mail

In November 2020, T Plus reported fraud in which unidentified persons announce procurement procedures on behalf of an energy company. Swindlers send invitations to participate in the auction on behalf of the company, and also request information of various kinds from potential participants, including confidential information. Read more here.

Cyber ​ ​ fraudsters deceive entrepreneurs by promising operating payments by e-mail

On September 7, 2020, Kaspersky Lab announced a new fraud scheme in Russia aimed at small and medium-sized businesses using e-mail.

The entrepreneur receives a letter stating that an amount of several hundred thousand rubles has been credited to the user's internal accounting account. This is followed by a link to a document in a legitimate repository, the use of which allows campaign organizers to bypass security solutions. After clicking on the link, the recipient sees a notification of compensation due to him as "operating payments" from a certain financial institution.

If you click on the form, you will be redirected to a fraudulent resource. There, to complete the operation, it is proposed to create a personal account, create a password, and then pay a commission within three hours, otherwise the money will be returned to the sender.

A new scheme for deceiving entrepreneurs by e-mail has appeared in the Russian Federation

The name of the company (for example, PJSC SB-ACQUIRING) and location (Australia, Sydney), which are used in letters, are designed to give legitimacy to the fraudulent scheme.

At first glance, the fraudsters' site looks convincing - here is a message that payments are protected by the Infinite 3D Secure system, the company's address, and even some kind of license. However, the company with the specified data, of course, does not exist, - says the website of Kaspersky Lab.

The "commission" for identification in a fraudulent scheme is about 390 rubles

As a result, the user is asked to undergo mandatory identification, the "commission" for which is usually about 390 rubles - this is exactly the money that attackers receive if the operation is confirmed.

Specialists of the antivirus company advise entrepreneurs to be skeptical about messages about a large win or payment, check information about the organization, compensation and payments before clicking on the links from the letter, not create personal accounts on unverified resources.^[2]

The massive transition to work from home motivates hackers to steal through bank transfers

On June 3, 2020, Check Point announced that the massive transition to work from home motivates hackers to steal through bank transfers. Since everyone uses email for their work, hackers use fraud in corporate correspondence, or, as they call it, BEC (Business Email Compromise) fraud.

Typically, the BEC starts with cybercriminals hacking corporate mail and forging emails to impersonate one of the company's top executives, usually the CEO or CFO. Sometimes hackers pretend to be suppliers. Once inside the corporate network, the cybercriminal requests seemingly legitimate payment. The letter looks very believable, and it seems that it is received from the manager, so the employee reports. As a rule, attackers request a transfer of money or checks for storage. Not knowing this, the employee transfers funds to the selected bank account, which belongs to hackers.

In the case of BEC attacks, attackers use social engineering tactics to trick unsuspecting employees and executives. They mimic the role of any executive authorized to make or request electronic transfers. In addition, fraudsters scrutinize behavior and watch their potential victims and their companies for a long time, tracking all upcoming deals.

Usually such scams were carried out by one person. Recently, however, Check Point researchers have noted that these scams are becoming increasingly sophisticated and classify them as organized crime. In April 2020, Check Point researchers published an article about how the scheme was revealed, in which a cyber gang that researchers called a "Florentine banker" raised $1.3 million between three private equity firms. For months, members of the group studied their victims' emails, manipulating correspondence, registering similar domains and cashing out money at once. The intervention of Check Point Incident Response led to the recovery of just over half of the stolen amount, the remaining part was lost forever.

Check Point researchers believe that commercial organizations and venture capital firms are the main targets of BEC attacks, since hackers know that large organizations often transfer significant sums of money. Therefore, these organizations need to understand well how hackers can use them. What stages can be distinguished in such an attack?

1. Observation. After the attackers gain control of the victim's email account, they will start reading the emails. Cybercriminals can spend days, weeks or even months scouting, patiently mapping business schemes and standard procedures before intervening in communication
2. Control and isolation. Attackers begin to isolate the victim from third parties and colleagues, creating malicious mailbox rules. These email rules redirect any emails with filtered content or themes to a folder tracked by hackers, essentially creating a man-in-the-middle attack.
3. Similar setup. Attackers register similar domains, those that are visually similar to the legitimate domains of persons participating in the correspondence that they want to intercept. The attacker begins sending emails from similar domains. They either create a new dialogue or continue the existing one, thereby deceiving the target into believing that the source of the message is legitimate.
4. Request to transfer money. Attackers begin to enter information about their bank account using two methods:
5. * Interception of ordinary, legal transfers
6. * Create new bank transfer requests
7. Money transfer. Cybercriminals control the correspondence until a third party approves the new bank details and confirms the transaction. If the bank rejects the transaction due to a discrepancy in the currency of the account, the name of the recipient, or for any other reason, the attackers try to correct all errors as quickly as possible until the money falls into their own hands.

"We are in the midst of a massive paradigm shift in hacker activity. Hackers take full advantage of the fact that most people work from home. We see BEC scams as part of this trend. If a person works, runs or owns a business or organization, especially one that is sufficiently known and transfers large amounts of money, they should know that they are the target for such attacks. When he works from home, someone can control and manipulate each of his emails, especially if he is the same person in the company who is responsible for the money transactions. We expect that there will be more opportunities for intruders in 2020 and into the future, given the evolving culture of working from home, " noted Lotem Finkelstine, Head of Threat Analysis at Check Point

How to protect your organization from BEC attacks according to Check Point experts:

1. Enable multifactor authentication for business mail accounts. This type of authentication requires multiple pieces of login information, such as a password. The introduction of multifactor authentication makes it difficult for a cybercriminal to access employees' emails.
2. Do not open emails from unknown senders. If you accidentally do this, do not click on links or open attachments, since they often contain malware that gains access to the system.
3. Double-check the sender's email address. A fake email address often looks very similar to the email address of colleagues or partners.
4. Always check the transfer requirement before sending money or data. Develop a standard work procedure for employees to confirm email requests for bank transfers or confidential information.
5. Select the "forward" option rather than "reply" when responding to business letters. When sending an email, the correct address must be entered manually or selected from the address book. Forwarding ensures that the correct recipient email address is used.

Ransomware began to threaten sites with bad traffic and deprivation of income

In February 2020, a new email extortion scheme appeared, which is aimed at website owners who post advertising banners in the Google AdSense program. Ransomware is threatening site owners to flood their bot tratfics so Google's automated anti-fraud systems will block their account, depriving users of advertising revenue. Read more here.

2019

280 people arrested who lured tens of millions from companies

By mid-September 2019, law enforcement agencies in ten countries arrested 281 people suspected of fraud with large money transfers. For months FBI , coordinated the operation to arrest these scammers, who lured tens of millions from companies and individuals dollars by email.

These people fraudulently forced victims to transfer money to bank accounts controlled by fraudsters. They sent fake emails on behalf of company executives or other higher-ups requesting money transfers. According to the FBI, almost $3.7 million was seized during the raids. The evidence obtained as a result of the operation should lead to the seizure of another $118 million. In addition, "a number of exotic cars, plots of land in Lagos and real estate in Abuja" were arrested.

Law enforcement agencies of 10 countries arrested 281 people suspected of fraud with large money transfers

The worldwide Operation Rewired campaign lasted four months, during which raids were carried out in, USA,, Great Britain, Nigeria Turkey Ghana,,,,, and France Italy Japan Kenya Malaysia. At the same time, 167 arrested fraudsters turned out to be Nigerians.

Ibrahim Magu, who chairs Nigeria's Economic and Financial Crimes Commission, said the action is just an element of a larger campaign targeting a group of cybercriminals called Yahoo boys.

The FBI is urging employees of all companies that process money transfer requests by email to further verify the sender's identity and the authenticity of the request. From 2016 to September 2019, email fraud led to losses of more than $26 billion. It is now one of the most lucrative categories of cyber fraud and people should not lose their guard.^[3]

E-mail porn blackmail deprives people of tens of millions of dollars

In mid-June 2019, the FBI Internet Crime Center (IC3) released data on extortion by email. In 2018, the frequency of complaints about such letters increased by 242% (51,146 reported crimes), and the total losses amounted to $83 million.

Most extortion related to a campaign of porn blackmail, when victims received a letter threatening to send pornographic videos or other incriminating information from a given address through contacts of relatives, friends and colleagues. Experts advise not to panic, since usually hackers play on the basic instinct of shame and in reality their threats have no real basis.

Porn-related extortion increased 242% to 51,145 in 2018, FBI says

Criminals claim they hacked a webcam, obtained damning photos or videos or evidence of pornographic material viewed. However, most often hackers almost certainly do not have access to this type of information, if it exists at all, experts remind.

Criminals do not have to have hacking skills at all, they can simply use email addresses stolen from companies or obtained from other suppliers. Slightly more sophisticated scammers buy "dirty" passwords and include them as additional bait, claiming to have used the password to access sensitive information.

However, their threats have no basis, and fraudulent schemes of this kind work perfectly only because people, especially young people, believed in the collapse of privacy. This belief allows people to assume that someone may be spying on them or misrepresenting initially innocent information. When receiving such a letter, experts advise checking spam filters, changing passwords or using multifactorial authentication, as well as writing a statement to the police.^[4]

Fraudster lured $123 million from Google and Facebook

At the end of March 2019, the US Department of Justice indicted a Lithuanian citizen who lured $123 million from Google and Facebook. A fraudster who pleaded guilty deceived American companies by compromising a corporate e-mail. Read more here.

Diesel Jeans bankruptcy due to compromise of corporate e-mail

This type of fraud became so common that when Diesel Jeans filed for bankruptcy in March 2019, few people were surprised to learn that one of the reasons was the compromise of corporate e-mail. Fraudsters successfully impersonated the CEO of the company Mattel in a series of mailings with fake accounts, which brought Diesel Jeans losses of $3 million. Losses also suffered Google. Facebook

2018: Fraudsters steal $12 billion through compromise of corporate e-mail

According to the FBI, between December 2016 and May 2018, the total amount that fraudsters tried to lure out by compromising corporate e-mail increased by 136%. In general, between October 2013 and May 2018, fraudsters stole more than $12 billion worldwide; only a small proportion of this money returned to the owners.

2017

Tillage Commodities lost 64% of its capital after compromising corporate e-mail

In 2017, Connecticut-based trading company Tillage Commodities lost 64% of its total capital after compromising corporate e-mail in just 21 days. The Emergency Exchange Trading Commission later fined the company $150,000 for not controlling its funds.

The Federal Tax Service of Russia has protected its postal domain

Federal Tax Service of Russia became one of the first government organizations that, together with Post specialists Mail.Ru , applied modern means of protection, configuring SPF, DKIM and DMARC for its mail domain. As a result of this work, attackers will no longer be able to use the name of the nalog.ru mail domain to send phishing emails to any large email services that use the DMARC specification to authenticate email senders.

Currently used basic SMTP Simple Mail Transfer Protocol - Simple mail transfer protocol does not allow authentication of external senders at the proper level. That is, when sending a letter in the From: field, you can substitute any address. A specialist can recognize a fake email address: it is necessary to check the headers, service information, server and IP from which the letter was received. When using the DMARC standard, verification will be performed automatically by the recipient's mail server. By configuring DMARC, mail server owners can block the receipt of emails from domains that have not passed authorization. Thus, DMARC allows you to identify and suppress the substitution of the sender's return address, which is used by spammers for fake mailings on behalf of a reputable company.

How not to get caught by scammers

The FBI and the US Department of Homeland Security remind that all organizations and enterprises that make large transactions can take a number of simple measures to avoid this kind of fraud associated with compromising email. This applies to companies of all sizes and to individuals who conduct large financial transactions, such as home purchases.

Companies should warn their employees about the risks of compromising business mail and create a checklist of actions for the finance department, experts say

Experts recommend telling employees what this type of fraud is and how bills should be assessed. Employees should be especially careful in cases of a sudden change in the terms of payment, or when the supplier asks to send funds to a bank account that is different from the usual one. In large deals, it is better to introduce rules requiring all payment transfers to be signed by both parties. Thus, the powers will not be in the hands of one person, and the fraudster will not be able to lure money from him. In addition, it is recommended to discuss with the bank the possibility of creating special protocols - for example, voice verification during a bank transfer.

Companies found to have been victims of fraud should call the sending bank immediately and withdraw the transfer if possible. All communications and other evidence related to the incident should be retained until the trial. U.S. fraud victims can file a complaint at www.ic3.gov to protect others.^[5]

Notes