There's a reason Business Email Compromise is on every SecureWorld conference agenda this year.
Actually, in this example alone, there are 29 million reasons.
BEC fraud: U.S. employee tricked into transferring millions
Nikkei, a Japanese media company, posted a short note on its website revealing that a U.S.-based employee fell for a hacker's BEC scam.
"In late September 2019, an employee of Nikkei America, Inc. (New York City, United States)... had transferred approximately 29 million United States dollars of Nikkei America funds...."
How did the Nikkei BEC scam work?
Although Nikkei provided limited specifics, it did reveal how the cybercriminals socially engineered the employee:
"...based on fraudulent instructions by a malicious third party who purported to be a management executive of Nikkei."
In other words, the employee thought they were communicating with a company executive who wanted the $29 million to be sent to a specific account. Instead, it was a hacker or hacker group directing the money into their own pockets.
This type of ruse is sometimes referred to as CEO fraud.
Cybercriminals target someone specific within an organization: someone who has access to the money and would also be likely to want to please an executive requesting help. That request from the hacker posing as an executive is typically urgent and often for a "confidential" business transaction that should not be discussed. Often times, they are also suggesting the conversation be taken offline.
This often creates a rapid response on the part of the employee who keeps the transfer to themselves (as requested) until the money is gone and the BEC scam comes to light.
BEC losses growing, attacks becoming more sophisticated
Global losses from BEC have reached $26 billion over the last six years, according to the United States government.
And with profits like that, smart and sophisticated cybercriminals are creating enterprise business model operations. "They're very successful. They're very good at what they do. And they run just like an actual business," Special Agent Christopher McMahon tells SecureWorld.
McMahon is one of the key BEC fraud investigators for the U.S. Secret Service, and he's keynoting SecureWorld Seattle on November 13-14.
Enterprise cybercrime operations focused on BEC
McMahon explains how these cybercrime organizations operate when it comes to Business Email Compromise fraud:
"They have the CEO level where you are giving direction on what to do. And at the end of the day, they get a cut of the money that comes through. So you are kind of the strategy person.
Then under them, you'll have an HR function where you're recruiting people and you are managing the people that you recruit into the fraudulent world.
And then you'll have your IT people who either develop the malware or they'll go out and buy malware... to infiltrate the computers or the systems that they're looking to do... in order to commit the crime.
And then under that, you'll have runners or mules where those people are the ones that are actually passing the money. And so it truly is like an organization."
In this case, it likely was a criminal organization stealing from a legitimate one. Nikkei America is out $29 million dollars, plus mounting costs from an investigation the company announced:
"Shortly after, Nikkei America recognized that it was likely that it had been subject to a fraud, and Nikkei America immediately retained lawyers to confirm the underlying facts while filing a damage report with the investigation authorities in the U.S. and Hong Kong."
There is also a lesson here for everyone in every organization. If you get any kind of request via email that involves changes to the moving of funds or a new transfer request, speak to the person supposedly making the request. "I always suggest picking up the phone and calling," says Agent McMahon.
Because with millions in profits on the line, hacking operations can afford to spend weeks or even months perfecting every detail of digital communication.