Attackers have stolen billions of dollars from unsuspecting companies over the years by posing as employees, vendors, or partners to initiate fraudulent wire transfers. The FBI released a public service announcement in May 2017 warning about these sophisticated business email compromise (BEC) scams and reported exposed dollar losses of $5.3 billion — a 24x increase from two years prior.
In contrast to previous years in which attackers used URLs or malware to initiate their attacks, BEC-based attacks use emails that impersonate high-level officers or managers in the company to get ahold of wire funds or personally identifiable information (PII). In some cases the attackers impersonate vendors or partners leveraging social engineering to substantiate the request.
While BEC hits all major business sectors, it is particularly relevant in the financial services sector for a number of reasons. First, financial institutions are targeted by the various scams outlined below just as aggressively as firms in other sectors. Second, there are risks related to the client relationship that come into play, which represent a paradigm shift in how these attacks are being conducted. For example, with BEC attacks, the institution is conducting a transaction on behalf of a real client yet the bank has no way of knowing that the request is being made on behalf of an impersonated officer of the company. Often the client will become confused during the process and may lose trust in the security of the financial institution due to the incident. According to SC Magazine, “For 2016 there were 1,684 attacks on financial services firms, an attack being defined by IBM as a security event identified as ‘malicious activity that is attempting to collect, disrupt, deny, degrade, or destry information system resources of the information itself.’ This is up from the 1,019 attacks that took place in 2015.”
Beyond monetary and personal information losses, however, there are other risks in the Financial Services sector including liability when customer accounts are compromised, as well as potential compliance risks.
Understanding the risks and mitigation steps for BEC requires a clear understanding of how these scams are initiated, what the various roles are, and how money flows from the victimized bank to the attacker. Let’s look at a generic example of how it works.
(In) 2016 there were 1,684 attacks on financial services firms, an attack being defined by IBM as a security event identified as ‘malicious activity that is attempting to collect, disrupt, deny, degrade or destroy information system resources of the information itself.’ This is up from the 1,019 attacks that took place in 2015.
— SC Magazine
There are three common entities in a typical BEC attack: the attacker, the financial institution(s), and the money mule. While the first two are familiar to most, the money mule is worth some explanation. In order to receive money from a victim, an attacker needs someone as a go-between. This person may be an unsuspecting victim of a romance scam. Often the scammer will cultivate an online relationship with this person until they have reached a point in which the scammer can ask for a favor: to accept money on their behalf — into their U.S. bank account — so that it can be forwarded to the scammer’s account.
As the scam progresses, the money will be transferred from account to account, over international borders, so that it becomes vastly more difficult to trace. It is worth noting that in this diagram, five of the eight entities depicted below are financial institutions, hence the need for companies in the Financial Services industry to be particularly vigilant.