In a scary electronic world dominated by ransomware, malware, and spam, an often overlooked threat is business email compromise.
For those who need a quick reminder, business email compromise happens when a bad threat actor monitors an email account, or a hacker, over time, socially engineers a person into sending money somewhere they shouldn’t.
Recently, a close friend was an unwitting casualty of a business email compromise to the tune of $1.3 million. Here is his story. As you can guess, the names have been changed to protect the innocent.
Recently, a close friend was an unwitting casualty of a business email compromise to the tune of $1.3 million. Here is his story.
It was Tuesday morning, and Greg was arranging to buy a new house. He was paying cash, and already received an email from his attorney with the bank’s money wire instructions. Greg was also very busy with work issues plus he was preparing for a big trip to Los Angeles.
As he prepared to wire the money, he received a second email containing a new account number. Even though, the receiving bank’s routing number was unchanged, the target account number was different.
Greg was in a hurry, didn’t see anything suspicious, and executed the wire transfer based on the revised instructions. Greg moved on to his next problem.
Fast forward to Thursday — fifty-six hours later.
As Greg waited at LAX airport for me to pick him up, he read an email from his realtor that started like this, “Hey Greg, when are you wiring the funds for the new house?”
Greg was stunned since he wired the money two days earlier. Greg called his realtor. Greg called his attorney. No money. Greg then called his banker (Greg banks with a very large U.S. bank) who immediately engaged their wire fraud department.
At this point, Greg had several elements working in his favor. Most importantly, the incident was reported within 72 hours of the initial transmission. Both the FBI and the U.S. Secret Service will tell you that 72 hours is a magic threshold. If wire fraud is reported within 72 hours, the Financial Fraud Kill Chain (FFKC) can be activated to stop the transfer. If the process begins outside the 72 hour window, the probability of any recovery decreases dramatically. The FFKC utilizes a relationship between the FBI, the Financial Crimes Enforcement Network (FinCEN) and the Egmont Group, a clearing house between financial institutions focused on stopping financial fraud, to prevent an illegal wire transaction.
Greg had several elements working in his favor. Most importantly, the incident was reported within 72 hours of the initial transmission.
The FBI and the big bank’s wire fraud department quickly determined the destination account was controlled within the bank. Meaning, the transfer occurred within the same U.S. banking corporation.
From there, the bank and the FBI were able to freeze the receiving account. The bank and the FBI also identified outgoing wire transactions from the hacker’s account that transferred funds to two additional U.S. banks.
Amazingly, the Feds worked their magic, began the process of recovering Greg’s money, and identified a suspect in the U.S. who was either the source of the fraud or could be a wire mule for a larger organization.
Meanwhile, Greg researched how he made such a mistake. Even though Greg is both technically savvy and computer educated, he was still duped.
There were 9 emails in total as the hacker set up the communications for the business email compromise, built confidence, and ultimately provided a fraudulent account number. There was even a confirmation email confirming the transfer completed.
Looking at the emails collectively, the emails all looked authentic.
However, looking closer there were slight differences in two email domain names. The attorney’s email was firstname.lastname@example.org and the realtor’s email was email@example.com; however, upon closer inspection of the fraudulent emails, the attorney’s email was firstname.lastname@example.org and the realtor’s email was email@example.com.
Notice the difference?
It is highly probable, the hacker penetrated either the email server of the legal office or the realtor’s office, or both. The hacker also created the fake domains for both organizations and waited until the time was right to send a fraudulent email hoping for a mega score.
It is highly probable, the hacker penetrated either the email server of the legal office or the realtor’s office, or both.
Both the realtor and the legal office had their IT teams check for malware, changed account and server passwords, and performed basic security checks, but found nothing. However, sadly, as of this writing, neither contacted a fully trained data forensic and incident response (DFIR) team to fully validate that their systems are clean; furthermore, there are no laws requiring either to report this problem to their current clients much less to the public at large. In addition, neither organization had business continuity plans, crisis management plans, and no security or password policies.
When the dust finally settles, Greg will be one of the lucky ones who are victims of a business email compromise and 99.7% of the money he wired will be returned. But the refund could take almost 60 days after the initial funds transfer so the process isn’t quick.
As I close the story, here are a few final thoughts.
- Verbally confirm the wire information with trusted individuals requesting the money. Don’t call the phone number or send an email to the contact data listed on the actual wire instructions.
- Send an initial verification wire in a small amount such as $100 and speak with a verified contact to confirm the transmission. Sure, there will be an extra charge for submitting two wires, but having peace of mind you are sending a large dollar transaction to the right place is money well spent.
- Even though many IT teams are very capable, computer security has become so specialized it’s worth engaging a specialized data forensic and incident response (DFIR) team to validate your system is clean. In fact, post breach, cyber insurance often pays for a DFIR team to engage and validate your system status. Thousands of DFIR companies exist so even though there are many options, choose wisely and remember DFIR demand is very high so your first choice may not be available.
Unfortunately, with so many emails feeling like a scam, when reading and responding to an email from someone you know, it’s easy to let your guard down. And, with the sophistication of attacks making it increasingly difficult to distinguish friend from foe, maintaining rigorous due diligence for every email and weblink should be considered a fact of life.
Unfortunately, with so many emails feeling like a scam, when reading and responding to an email from someone you know, it’s easy to let your guard down.
It never feels good to be taken advantage of, and with business email compromise, the sting could be especially painful.