Bank Lost $75 Million to CEO Fraud

Another big Busi­ness Email Com­pro­mise (BEC, also known as “CEO Fraud”) was recent­ly announced: Belgian Bank Los­es €70 Mil­lion to Clas­sic CEO Fraud Social Engi­neer­ing Trick

Bel­gian Bank Cre­lan has announced that it was the vic­tim of a fraud cam­paign and lost over €70 mil­lion ($75.8 mil­lion) in the process. [In the attack] the sender tries to pose as a busi­ness part­ner or even some­one from the com­pa­ny itself, ask­ing the recip­i­ent to trans­fer mon­ey to a desired account to final­ize an urgent busi­ness trans­ac­tion. The email uses legit­i­mate graph­ics and a looka­like domain name, try­ing to fool dis­traught employ­ees and have them trans­fer the mon­ey with­out dou­ble-check­ing with some­body from inside the com­pa­ny first.

This is on top of the $46 mil­lion that was defraud­ed from Ubiq­ui­ti Net­works through the same exploit about nine months ago.

Here’s an exam­ple of what a real BEC attempt looks like (thanks to Tom Kemp, CEO of Cen­tri­fy Cor­po­ra­tion):

BEC

The way to pro­tect your orga­ni­za­tion is by strength­en­ing your peo­ple, process, and tech­nolo­gies. The Inter­net Crime Com­plaint Cen­ter (IC3) offers this list of action, which I think is very good:

  • Peo­ple: Know the habits of your cus­tomers, includ­ing the details of, rea­sons behind, and amount of pay­ments.
  • Process:
    • Ver­i­fy changes in ven­dor pay­ment loca­tion by adding addi­tion­al two-fac­tor authen­ti­ca­tion such as hav­ing a sec­ondary sign- off by com­pa­ny per­son­nel.
    • Con­firm requests for trans­fers of funds. When using phone ver­i­fi­ca­tion as part of the two-fac­tor authen­ti­ca­tion, use pre­vi­ous­ly known num­bers, not the num­bers pro­vid­ed in the e‑mail request.
    • Care­ful­ly scru­ti­nize all e‑mail requests for trans­fer of funds to deter­mine if the requests are out of the ordi­nary.
  • Tech­nol­o­gy:
    • Cre­ate intru­sion detec­tion sys­tem rules that flag e‑mails with exten­sions that are sim­i­lar to com­pa­ny e‑mail. For exam­ple, legit­i­mate e‑mail of abc_company.com would flag fraud­u­lent e‑mail of abc-company.com.
    • Reg­is­ter all com­pa­ny domains that are slight­ly dif­fer­ent than the actu­al com­pa­ny domain.

Any rea­son to not make these changes? Would you add any oth­ers?

Please note: I reserve the right to delete comments that are offensive or off-topic.