Email, widely used for business purposes, is inherently insecure. Criminals exploit the insecurity of email by intercepting it and changing or compromising the information the actual sender communicates. This cybercrime has become known as business email compromise (BEC).
In 2020, the FBI described BECs as “the $ 26 billion scams”, referring to the global losses reported in 2019. Sadly, neither law enforcement nor the banks provide statistics for BEC losses in other countries. But the risk of BEC has grown exponentially in recent years.
BECs are a genuine risk to business and their clients.
A BEC is one of the most financially damaging cybercrimes.
Unless you understand the risk, it’s impossible to protect against it.
This post provides a background to how cyber criminals commit a BEC. We also advise on safeguards you can establish to protect against the risk of BEC.
The setup
As with most commercial cybercrimes, BECs are carefully set up.
The criminals need to control bank accounts into which they can divert money from which it can be paid into different accounts, often in foreign countries. This makes it difficult to trace the money and recover stolen money.
To do this, they use “money mules”. Money mules are typically paid a sum of money (which may be significant to them, but in the scheme of the crime is insignificant) to open a bank account legitimately. Once opened the money mule provides criminals with the credentials and information necessary to control and operate the account. Banks opening these accounts follow the necessary “know your client” and FICA procedures in doing so, and will not know that the account is or will be operated by criminals.
The next part of the setup is obtaining the email credentials of potential victims that enable control of email boxes through which the email communication passes. These credentials may be obtained in several ways, but phishing is typically the method of doing this. We are warned constantly by financial institutions and others to not give our personal information to third parties, but even very clever and tech-savvy people are known to be caught in phishing expeditions. There are other methods of obtaining these credentials but it is beyond the scope of this post to explore them all.
Once the criminals gain access to the email box, they can monitor communications and ascertain when one party will pay another.
The confidence trick
BECs are a confidence trick or “con”.
The trick is that the criminals pretend to be the person the intended payor is communicating with. And they con the payor into making a payment to a bank account they operate.
The payor makes the payment in the confident, but incorrect, belief that the bank account belongs to the rightful recipient. This confidence is often secured because for the most part, the email threads are perfectly legitimate, and the recipient is lulled into a false sense of security.
Once the criminals gain control of an email box, they can set the rules governing the communication of the email. They can ensure that some emails do not reach the intended recipient, or they subtlety change or replace them with their own email in a manner that security cannot detect. They are also able to route emails to an email address, which is so like a legitimate email address that it is highly unlikely that anyone will detect the change.
Unprotected attachments are as susceptible to change as the text in the email itself. That people cannot change PDF documents is a widely held, but untrue, myth.
The sting
Once the crime has been set up and the criminal controls the communications, they can make the sting. They intercept an email and attachments and replace the bank account details into which the payor should pay with a bank account under their control.
Once the payor has paid into the bank account the money mule opened but controlled by the criminal, the criminal quickly routes the money through other bank accounts into a bank account in a foreign country. This makes it very difficult and probably impossible to hold the kingpins behind the sting accountable and recover the loss.
The sting is complete.
The victims
The most obvious victim is the payor who in good faith has paid the wrong payee. But the payee may also be a victim. They may have already delivered goods or services and not received payment. Even if they have a claim against the payor it may be that the payor simply does not have sufficient money to make a second payment. Even if goods and services have not been delivered, it may be that the intended payee loses a deal simply because the payor is unable to fund their purchase.
The payee may also be a victim and suffer loss if they fail to exercise proper care in communicating with potential payors.
Duty of care
We all have a duty of care to protect against risks that may cause loss or damage to others. BECs are a well-known risk and you must take care that your actions and how you communicate payment information do not contribute to the loss of third-party sufferers.
Email is insecure and should not be used for sensitive communications, particularly in communicating financial information.
A failure to take proper care may result in liability (or contributory liability) by the payee to victims of a BEC.
Criminal liability
While it is obvious that a crime has been committed, the kingpins behind BECs are mostly unknown and very rarely prosecuted. They may operate from foreign jurisdictions and law enforcement is unable to properly investigate and prosecute the criminals.
The money mule is an accomplice in the crime. Some have been prosecuted and punished, but this is cold comfort to victims of a BEC who are unable to recover their loss from the money mule, who is typically poor.
Actions you can take
Protect your organisation against the risk of BEC by asking us for help.