Police warn public of Business Email Compromise attacks
The Kingston Police Fraud Unit is urging local businesses to be aware of a type of scam that is targeting the business community with increasing frequency: Business Email Compromise (BEC) attacks.
According to a release from Kingston Police, BEC attacks involve an individual at a business clicking an innocuous link in an email which allows malware to be deposited into their system. The malware then searches emails for invoices sent or received, sends an email that appears to be from the subcontractor or company advising that the business has changed their payment information, and requests payment to a new account number or e-transfer address.
“BEC is the use of a spoofed email address or a compromised email account to convince an individual or a business to send funds from their account to one owned or controlled by cybercriminals,” said Ash Gutheinz, Media Relations Officer – C.O.R.E. Unit for Kingston Police. “Cybercriminals perpetrating BEC are essentially social engineers who take advantage of a person’s nature to address urgent requests promptly. They also take advantage of most employees’ lack of basic security knowledge when it comes to email (i.e. recognizing a phishing attempt), how to evaluate a suspicious email’s header, or how to identify domain spoofing.”
Typically, the criminal targets a business using a phishing attack, according to police. The business’ employee receive a seemingly innocuous e-mail inviting the receiver to click on a link. Once the link is clicked, malware is surreptitiously downloaded onto the user’s computer or device, giving the culprit access to their e-mail account.
According to the release, the criminal then looks for e-mails with invoices sent to or received from other companies. The criminal then sends an e-mail to the subcontractor, either from the actual e-mail account that was compromised; or from an e-mail address created by the criminal that appears almost identical in appearance to the legitimate e-mail account. Typically they will register an e-mail domain that is the same as the one being impersonated, except that it is off by one character and not easily noticed, police said.
The company that hired the sub-contractor is then advised by the culprit – pretending to be the sub-contractor – that their business has changed their payment information; and a new account number is provided to send an Electronic Fund Transfer to; or a new e-mail address is provided to send an e-transfer to, according to the release.
In the cases seen by Kingston Police, losses are typically in the range of $10,000 to $70,000. Police said that in the United States BEC has become the costliest type of cybercrime, causing billions of dollars in economic loss.
From the cases seen so far, once the money is sent to the receiving account it is withdrawn and forwarded in ways that are difficult or impossible to track – such as through Bitcoin or other cryptocurrencies, according to the release.
Police urge businesses to raise their employee’s awareness of this type of crime – particularly their accounts departments, which are the usual targets of this scam. Employees should be made aware of the following:
- Phishing attempts. Do NOT click on any links that you are not certain about.
- Any email communication advising of a change of payment process (ie. a new account that money should be sent to) should automatically trigger steps to authenticate the request, including calling the other business to confirm the changes in person; and careful examination of the e-mail address that sent the request to change payment details.
- Any request to send e-transfers to e-mail addresses that are not legitimate business email domains should be viewed as a red flag for fraud.
Training employees to be aware of these types of scams and of the proper steps to take is essential in preventing significant losses, police said.
Proper cyber-security practices should be strictly adhered to, according to the release, including strong passwords; the re-setting of passwords on a regular basis; two-step or multi-step authentication processes; and awareness in regards to phishing attempts.