The evergreen peril of business email compromise (BEC) finds itself in the news once more. This time, major English Premier League football teams almost fell victim to their trickery, to the tune of £1 million.
First half: fraudsters on the offensive
Somebody compromised a Managing Director’s email after they logged into a phishing portal via bogus email. Fake accounts set up during the transfer window to buy and sell players provided the required opening. They inserted themselves into the conversations with ease. Both clubs were conversing with fakes, as the fraudsters changed banking details for payment. No money reached the scammers, as the bank recognised the fraudulent bank account.
As with so many BEC attacks, the weak point was unsecured email with no additional measures in place. Some 2FA would have helped immeasurably here, along with additional precautions. We’ve talked about this previously, where organisations may have to accept some slowdown in their activities behind the scenes for the extra protection afforded. Does the CEO need to confirm wires over the phone with someone in another timezone? Will it slow things down a little?
That is, for some, the cost of (scammers) doing business. The trick is trying to come up with solutions that work best for you, in a way which doesn’t meet with objections from both the board and the people making use of these processes daily.
The sporting sector is under attack digitally on all fronts at the moment. You can read about some of the other attacks, and a few more BEC-related shenanigans, in the NCSC report.
Second half: BEC keeps the pressure up
BEC scams have gained a lot of visibility these past few weeks.
Big financial losses sit alongside the embarrassment of going public of compromise. We almost certainly don’t know the true extent of the damage. Ransomware and similar blackmail threats cause similar problems when trying to estimate impact.
BEC isn’t just some sort of amateur hour, either. The pros are absolutely doing what they can in this realm to further enhance their profits.
Extra time: the long arm of the law
Organisations and people often realise too late that sending wires means the cash is gone forever. The attack replies on stealth and making away with the money without anybody noticing until it’s too late.
On the other hand, busts do happen. Turns out being massively visible with some 2.4 million Instagram followers might not be the best way to remain Guy Incognito. After a little under 1 million dollars was swiped from a victim in the US, the FBI found evidence of communications between a popular social media star and the alleged co-conspirators of the fraud. The FBI filed a criminal complaint in June which alleges all the social media star’s wealth is gained illegally.
Interestingly, there’s mention of yet another attempt on an English premier league football club. This time, however, the money up for grabs is significantly larger: £100 million, versus £1 million.
Ouch.
Penalties: one final multi-pronged attack
It’s not just the standard BEC we need to be concerned about. There’s a lot of divergent routes into your business originating from roughly the same starting position. Vendor email compromise is something gaining prominence since its more well-known sibling came to light, so add that to the growing list of things to defend against. The successful attack on a major European cinema chain for $21 million is starting to seem like small potatoes at this point, though most definitely not for anyone caught in the fallout.
Some scammers roll with malware. For others, it’s a case of burning a horribly expensive exploit. The hope is that it’ll make several times the amount paid for it initially. The rest lurking in the shadows? Big money from malvertising, or gaming social media with a splash of viral spread and a lot of stolen clicks.
Meanwhile, over there, we have a group of people piecing together the inner workings of your organisation from information freely available online. At this very moment, they’re considering sending some innocent missive, just to see if the mail address is live and if the person responsible for it replies.
You won’t hear from them again…but you almost certainly will see a mail from something claiming to be your system administrator urging you to reset your login details.
Where both you and your organisation’s cash reserves end up after that, is entirely down to whatever planning was made beforehand.
How ready will you be when the business email compromisers come calling?