Ransomware stole a lot of headlines in 2016 as organizations across the world fell victim to it. From hospitals to city transit systems, the infectious malware invaded enterprises, encrypting files and generally wreaking havoc. For most of those afflicted, ransomware translated into lost productivity and gallant efforts by IT departments to restore data silos. For some, it meant coughing up a payoff that translated into several thousand dollars’ worth of bitcoin currency.
But for all the focus on this encrypting menace, there is another form type of attack that is inflicting a much greater toll on besieged organizations. The heavy costs associated with this rapidly growing threat results in the loss of millions of dollars, and sometimes, the dismissal of company executives. Though this new cyber assault isn’t garnering the share of the headlines that ransomware currently acquires, corporations should fear its intrusion far more seriously.
The attack is known as Business Email compromise or CEO fraud. Call it phishing on steroids. BEC is a high stakes form of cyber scam that requires careful planning and stealth-like reconnaissance of cyber criminals. Victimized organizations reside in all 50 states and over 100 countries. Unlike typical phishing attacks, BEC doesn’t target the naïve or easy prey but instead specifically targets high level business executives such as the CFO or corporate attorney to initiate a wire transfer for some stated reason.
There is a reason why BEC attacks should be obtaining a greater share of the headlines. The money involved in these scams is big, real big. Take for example the hit taken by Ubiquiti, a San Jose based manufacturer of networking technology for service providers and enterprises. On August 6, 2015, the company released its earning statement for the fourth fiscal quarter which included a revelation that the company had been victimized by a BEC scam that resulted in losses of $39.1 million which had impacted its bottom line. The loss was a result of a scam which was discovered a month earlier that involved an employee impersonation and fraudulent request of a $46.7 million wire transfer to a bank located in Hong Kong. The company was able to recover $8.1 of the transferred money.
The amount of groundwork and planning that goes into these types of attacks is extensive. An example of the necessary preparation to implement a successful strike was the attack launched last year upon Bonnier Publications in Florida involving a Chinese bank. The scam involved two separate wire transfer requests involving $1.5 million each. What made this scam so effective was that it was launched on the first day of work for its newly hired CEO. Fortunately, the scam was discovered before the second transfer was issued. However extensive the required preparation is, the possible rewards are more than worth it. Case in point was a BEC scam involving Crelan, a Belgian bank that lost $76 million, equal to 6% of its equity capital.
Thus far there are four scenarios in which these types of BEC attacks are based upon:
For cybercriminals, the beauty of BEC phishing is obvious. It is highly cost effective and with only a few successful attacks, a hacker can make more money than an entire ransomware distribution channel can in a year. Unfortunately, the financial losses that they afflict on their victims affects not only their check book, but in some cases, their stock price and financial viability. Ransomware is certainly a menace we must contend with, but BEC is a tragedy waiting to happen.