Another big Business Email Compromise (BEC, also known as “CEO Fraud”) was recently announced: Belgian Bank Loses €70 Million to Classic CEO Fraud Social Engineering Trick
Belgian Bank Crelan has announced that it was the victim of a fraud campaign and lost over €70 million ($75.8 million) in the process. [In the attack] the sender tries to pose as a business partner or even someone from the company itself, asking the recipient to transfer money to a desired account to finalize an urgent business transaction. The email uses legitimate graphics and a lookalike domain name, trying to fool distraught employees and have them transfer the money without double-checking with somebody from inside the company first.
This is on top of the $46 million that was defrauded from Ubiquiti Networks through the same exploit about nine months ago.
Here’s an example of what a real BEC attempt looks like (thanks to Tom Kemp, CEO of Centrify Corporation):
The way to protect your organization is by strengthening your people, process, and technologies. The Internet Crime Complaint Center (IC3) offers this list of action, which I think is very good:
- People: Know the habits of your customers, including the details of, reasons behind, and amount of payments.
- Process:
- Verify changes in vendor payment location by adding additional two-factor authentication such as having a secondary sign- off by company personnel.
- Confirm requests for transfers of funds. When using phone verification as part of the two-factor authentication, use previously known numbers, not the numbers provided in the e‑mail request.
- Carefully scrutinize all e‑mail requests for transfer of funds to determine if the requests are out of the ordinary.
- Technology:
- Create intrusion detection system rules that flag e‑mails with extensions that are similar to company e‑mail. For example, legitimate e‑mail of abc_company.com would flag fraudulent e‑mail of abc-company.com.
- Register all company domains that are slightly different than the actual company domain.
Any reason to not make these changes? Would you add any others?
Please note: I reserve the right to delete comments that are offensive or off-topic.