“A client of ours had a brand new controller join the company. Within a week or two of getting there, the controller began to get emails from who they thought was the CEO about a confidential deal being worked on,” says Aravind Swaminathan, cybersecurity and data privacy attorney at Orrick LLP.
The "CEO" who was really a bad actor told this new controller it was great to have them on the team, that the company needed someone with that skill set, and that the CEO would soon be needing a series of transfers to get the confidential deal rolling.
"Over a course of time, the new controller wired out nearly $20 million to an account in Asia."
It's likely the bad actor did a few minutes of research on social media and saw this person was at a new company in a key role.
This is an example of Business Email Compromise (BEC) and both how it works and why it works.
It is really about trust, and sophisticated hackers are good at building it.
Washington D.C. phished by someone posing as a vendor
Another example of how a BEC phishing attack works comes from Washington D.C.'s government, which just confirmed it was a victim of business email compromise in 2018.
It unknowingly paid a hacker $690,000 and change. Here was the setup:
The District of Columbia is in the design build phase of a new housing project for homeless residents. The name of the contractor for the project is public information, of course.
A hacker created an email address that was one letter off from that contractor's actual email, and according to the The Washington Post, asked for a change in the payment method:
"Using the email, the hacker asked that the city begin processing vendor payments through electronic transfer rather than checks. The city then paid several outstanding invoices to the new account the hacker had specified."
Nearly $700k gone before you even know you are a victim. For hackers, BEC is a fantastic business model.
“You need to arm your users for battle, and a battle is what it is,” says KnowBe4's Erich Kron, who has been in InfoSec for 18 years.
“It takes a lot of effort to get past perimeters now, so attackers are really focusing on your employees to get the best ROI.”
Resource: How to limit phishing and BEC risk
For all kinds of insights into the problem of BEC, knowing your attacker, and mitigation through best practices, watch this SecureWorld web conference on-demand. It's complimentary and loaded with ideas you can use to help increase the security of your organization right away.
And while you're at it, check out our other online cybersecurity learning options:
Ransomware Risk and Mitigation web conference
Orchestrating Machine Identities, IoT, Root of Trust web conference
2018 User Risk Report web conference
Steps to Secure Cloud Migration web conference
Cryptomining Risk and Mitigation web conference
How to Implement Zero Trust web conference
