Business Email Compromise

Business Email Compromise – Hacking, Spoofing and the Law

Business email compromise (BEC)—also known as email account compromise (EAC)—is one of the most financially damaging online crimes. It exploits the fact that so many of us rely on email to conduct business—both personal and professional.

 

BEC attacks involve hackers posing as a trusted executive or employee within an organization and sending a malicious email containing malicious links, attachments, or requests for funds. In Australia, BEC attacks have resulted in losses of millions of dollars. Globally, the FBI has reported losses of over $26 billion due to BEC attacks.

How Criminals Carry Out BEC Scams

Spoofed email accounts occur when an attacker sends malicious emails from an email address that appears to be legitimate, but is actually fake. The sender can use the spoofed address to impersonate a legitimate user or organization in order to try and fool the recipient into clicking on malicious links or attachments, or providing sensitive information. 

 

Hacked email accounts occur when an attacker gains unauthorized access to an email account through malicious means such as phishing, malware, brute force, or social engineering. The attacker can then use the account to send malicious emails from the hacked account, view sent and received emails, or delete emails.  The trend now is to reissue invoices, and demand immediate payment with different banking details (unknown to the victim).

Legal Implications

The main areas include fraud, identity theft, theft and negligence.  There are 3 parties involved.  A client (Seller) that has invoiced another client (Payer) for goods or services.  A 3rd party, a hacker, get access to the Seller’s email.  They reissue an invoice for $10,000 with amended bank details.  The payer then pays the latest issued invoice to the Hacker’s account. 

The Seller has not received any money, however the Payer has paid money. 

There is no question that the Hacker has committed crimes including fraud, identity theft and theft.  The question is?  Is the Payer at fault for paying to the wrong account, or is the Seller at fault for Negligence in having their systems hacked?

There is a current case: In June 2020, the Australian law firm Mills Oakley was the victim of a BEC scam. The attacker sent emails to the firm’s accounts department pretending to be the firm’s principal and requesting the transfer of a large sum of money to an overseas account. The attackers were able to bypass the firm’s security measures and the money was transferred. The firm estimates the total loss to be around AU$1.8 million.

https://www.smh.com.au/national/law-firm-accused-of-losing-1-million-of-client-s-money-in-email-scam-20200506-p54qcu.html

Some Terminology : Actors, Acts, Actions & Phishing, Vishing and Smishing

Actors are individuals or groups who are involved in a cybercrime incident. These actors can be criminals, such as hackers or fraudsters, or victims, such as businesses or individuals.

Acts are the actions taken by actors in a cybercrime incident. Criminals may attempt to gain access to a system or network, steal data, or extort money from victims. Victims may fail to properly secure their systems and networks, or fail to take steps to protect their data.

Actions are the steps taken by actors in response to a cybercrime incident.  Victims may take steps to protect their systems and networks, such as implementing two-factor authentication, using strong passwords, and having the awareness to identify (and ignore or block) suspicious emails\ calls\ SMS. It takes both criminals and victims to result in an actual incident. Criminals must take steps to gain access to a system or network, while victims must fail to take steps to protect their systems and networks. If either party fails to take the necessary steps, the incident will not occur.

Phishing is a type of social engineering attack that involves criminals sending emails that appear to be from a legitimate source, such as a bank or company, in order to obtain sensitive information from victims. The emails may contain malicious links or attachments, or the criminals may request payment or personal information. Phishing emails are often hard to detect, as they may appear to come from a legitimate source.

Vishing is a type of social engineering attack that involves criminals using voice-based messages, such as phone calls and voicemails, to obtain sensitive information from a victim. Vishing attacks are often used to steal financial information, such as credit card numbers or bank account details. Criminals may also use vishing to obtain login credentials or passwords. Vishing attacks are often carried out using automated voice messages, making them hard to detect.

SMS phishing, or smishing is a type of phishing attack that involves criminals sending text messages to victims in order to obtain sensitive information. The messages may appear to be from a legitimate source, such as a bank or company, and may contain malicious links or attachments, or request payment or personal information. SMS phishing is often hard to detect, as the messages may appear to come from a legitimate source.

BEC Recent Real World Examples

  1. A Texas-based oil and gas company lost $3.5 million in a BEC scam. The attackers posed as company executives and tricked an employee into wiring the money to a fraudulent account.
  2. A UK-based engineering firm lost £1.2 million in a BEC scam. The attackers posed as the firm’s CEO and sent emails to the accounts department requesting the transfer of funds to a fraudulent account.
  3. An Australian construction firm lost AU$2 million in a BEC scam. The attackers posed as a company director and tricked an employee into wiring the money to a fraudulent account.
  4. A UK-based medical supplies company lost £1.2 million in a BEC scam. The attackers posed as the firm’s CEO and sent emails to the accounts department requesting the transfer of funds to a fraudulent account.
  5. A US-based law firm lost $4 million in a BEC scam. The attackers posed as the firm’s CEO and tricked an employee into wiring the money to a fraudulent account.

Most Popular

Demo 8

Lorem ipsum dolor sit amet, consectetur

Demo 6

Lorem ipsum dolor sit amet, consectetur

Demo 5

Lorem ipsum dolor sit amet, consectetur

On Key

Related Posts

Uncategorized
Matt Terry

Demo 8

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Proin congue vulputate metus vitae tincidunt. Aliquam commodo sapien non consequat tincidunt. Fusce id porttitor nisi. Pellentesque

Read More
Uncategorized
Matt Terry

Demo 6

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Proin congue vulputate metus vitae tincidunt. Aliquam commodo sapien non consequat tincidunt. Fusce id porttitor nisi. Pellentesque

Read More