Cybercriminals are developing smarter tactics for scamming businesses, gaining the trust of target employees they're attempting to trick with business email compromise (BEC) schemes well before actually duping them into transferring payments.
BEC - or CEO fraud - is carried out by hackers who've managed to become so familiar with a business that they've gained knowledge of management roles - information they've usually gained through a successful phishing scheme, or even just from the public domain.
Using this inside information, they generate a fake email which looks like it has been sent by senior management requesting a financial transfer be made -- but the money isn't transferred within the organisation, but rather into the wallets of online criminals. The scheme has become so successful the FBI has warned that $3.1 billion has been lost to CEO scams.
Rather than just sending a message requesting a financial transfer out of the blue as in other phishing schemes, these fraudsters attempt to gain the trust of their victims before asking for the fraudulent payment to be made.
Researchers at Symantec have noted that these scammers are now using informal and familiar language in emails sent to gain trust of their victim and don't reveal that they want a payment until they believe that the victim will comply with the request.
For example, the scammers will ask the victim if they're at their desk or if they're in the office that day, before moving onto the subject of a transfer and how to do it. In this case, they claim to be a member of senior management who wants a payment to be made to a private account, but with promises of an invoice at a later time.
Naturally, no invoice will ever arrive, the scammer has got what they wanted. In this case it was $10,000 dollars -- a figure which was arrived at when the scammer realised, through their email interactions with the victim, that's the highest they could receive according to the company's rules.
The use of this technique is growing; email security researchers at Symantec note that June saw 20 percent of these schemes attempt to gain trust before asking for the payment, while 60 percent the emails now inquire about the recipient's availability before going through with requesting a transfer.
There are simple things which can be done to avoid becoming a victim of business email fraud. Be suspicious of emails which demand action that isn't in line with your company policy.
Users are also urged to not hit reply if they believe the message to be suspicious, but rather write a new message directly to the known corporate address of the person who the message claims to be from, cutting any potential scammer from communications.