The action is not sophisticated: the financial officer of a company receives an email in which its executive director or CEO asks him to transfer a sum of money to a business partner.
There is nothing strange in the message. Nothing blows the alarms. He is your boss giving you an order. And as this enters the work plan of the person who deals with finances, there would be nothing to verify.
However, hours or days later, when the other party in the business claims that the transfer has not arrived, in the office they realize that there was an error, and that the situation is serious.
The money has been sent to a plot of bank accounts that diversify even outside the country, so it is very difficult to warn banks to stop the operation. Sometimes a part of the funds is recovered, but at other times the cybercriminals have already vanished with what is not theirs after having imitated the CEO’s mail and cheated on an employee.
This is known as Business Email Compromise (BEC), which in Spanish we know as Corporate Email Committed, one of the modalities of cyberattack to the cash counter of companies.
A worldwide scam with many zeros
According to figures provided by the FBI, this hacking has generated worldwide losses of at least $ 26 billion since 2016. And all through a relatively unsophisticated attack, according to a BBC report, which depends more on social engineering and deception. than traditional hacking.
The conclusion provided by cybersecurity experts is that emails cannot be trusted, when it comes to sensitive issues, linked to finance, no matter how powerful a company is.
According to the note, at the beginning of September 281 alleged hackers were arrested in 10 different countries as part of a massive operation against global cybercriminal networks linked to these types of scams.
“Committed corporate email is the most expensive problem in all cybersecurity,” says Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint, a cybersecurity company based in California. There is no other form of cyber crime with the same degree of scope in terms of monetary losses. ”
For Kalember, during the last year the tactics have evolved in different ways. First, hackers focused on the highest-level executive characters of large companies, whether they are executive presidents or chief financial officers, who do not have much time to carry out verifications prior to a transfer order.
But also the focus has been directed to cadres of lower hierarchy.
Smaller hackers, but equally pernicious, manage to imitate the email of a common employee, and from there they ask the company to allocate their monthly salary to a new bank account, that is, the one that belongs to criminals.
The way of acting
Another peculiarity is that, according to Proofpoint, more than 30% of BEC-style emails arrive on Mondays, when hackers try to capitalize on the pending jobs of the weekend.
“The attackers know how people and offices work,” Kalember says. They depend on people making mistakes and have a lot of experience with what works. It is not a technical vulnerability, it is a human error ”.
Attackers also usually put a “Re:” or an “Fwd:” at the beginning of the subject of their emails, so that it seems part of a previous conversation and thus give credibility to your message.
Fraudulent attempts using this technique, according to the researchers, have increased by more than 50% year-over-year.
“One of the reasons why this problem is particularly difficult to eradicate is that it depends on the systematic risk that all of us trust emails as a means of communication,” says Kalemeber.
According to Pindrop Security, an information security company based in Atlanta, Georgia, companies in the United States lost more than $ 246 million in 2015 due to CEO fraud, overcoming losses generated by other attacks such as phishing, vishing, ransomware and credit card fraud.
That year, the FBI would have received more than 7,800 complaints about BEC scams.
Credit card fraud losses totaled about $ 41 million, while corporate data breach losses exceeded $ 39 million.