Thought leadership. threat analysis, news and alerts.
Canadian University Loses $11.8 Million to BEC Scammers
An Edmonton, Alberta-based university publicly acknowledged that it was a victim of a recent cyber attack.
According to the Alberta-based university, a series of bogus emails tricked university staff into changing the electronic banking information for one of the university’s major supplier. This resulted in the money transfer worth $11.8 million to a bank account that the university staff believed belonged to the supplier.
The university traced over $11.4 million of the money to bank accounts in Canada and Hong Kong. According to the university, the traced bank accounts have been frozen and the university is working with its legal counsel in Montreal and Hong Kong to pursue civil action to recover the money. The remaining balance of these accounts is, however, unknown at this time.
“There is never a good time for something like this to happen but as our students come back to start the new academic year, we want to assure them and the community that our IT systems were not compromised during this incident,” the university spokesperson said.
The incident that occurred at the Alberta-based university is an example of the cyber attack called business email compromise (BEC).
What is a Business Email Compromise (BEC)
BEC is a cyber attack that targets organizations that have regular dealings with foreign suppliers and regularly perform wire transfer payments.
According to the FBI’s Internet Crime Complaint Center (IC3), from October 2013 to December 2016, a total of 40,203 BEC incidents were reported worldwide, with the total financial loss amounting to $5.3 billion. The IC3 said that the scam has been reported in 131 countries, with victims ranging from non-profit organizations to small businesses and large corporations. These businesses offer a variety of goods and services, signifying that no specific sector is targeted more than another. Tech giants Google and Facebook succumbed to BEC scams.
"Ransomware has been drawing much of the attention in the security world lately,” Cisco 2017 Midyear Cybersecurity Report (PDF) said. “However, a threat that’s not nearly as high-profile is raking in far more for its creators than ransomware: Business email compromise, or BEC."
According to the FBI’s Internet Crime Complaint Center, some of the organizations affected by BEC reported being a victim of ransomware attack before the BEC incident.
How BEC Works
BEC is an elaborate deception scheme.
First, attackers study the organization they want to target.
Attackers spend weeks and even months to study the organization’s suppliers, billing systems, top executive or CEO’s writing style and his or her travel schedule.
Attackers get the above-mentioned information from public online resources such as social media accounts and by using malicious software that’s capable of infiltrating the organization’s networks, gain access to passwords, financial account information and email threads relating to billing and invoices.
Second, attackers establish a relationship with a target employee.
When the time is right, for instance, when the CEO isn’t in his or her office, BEC scammers contact a specific employee – bookkeeper, accountant, controller or chief financial officer – in an organization who’s responsible for directly transferring money to suppliers.
Attackers exploit the target employee through email spoofing, phishing email and telephone calls.
A spoofing tool is also used by the attackers to direct email replies to a different account that the attackers control. At this stage, the target employee is tricked into thinking that he or she is corresponding with the organization’s CEO.
Third, attackers send instructions for money transfer.
For this third stage, attackers further deceive the target employee, for instance, by convincing the employee that the supplier has a new bank account number and instruct the employee to send payment to this new account. Attackers may also send a bogus email from a CEO to release the money to the new bank account.
Fourth, money sent is drained to different accounts.
In this fourth stage, money is sent to “money mules” in different parts of the world. Some of these accounts are difficult to trace. If the scam isn’t uncovered in time, it may be hard to recover the money.
How to Prevent BEC Scams
Here are some of the ways to prevent BEC scams:
1. Verify the authenticity of the money transfer request.
“The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone,” said FBI Special Agent Martin Licciardo.
Also, confirm the money transfer request by calling the supplier with the previously known company numbers, not the one provided in the email request. In the case of the Alberta-based university, based on the preliminary assessment of the university’s internal audit group, the BEC scammers were able to succeed in deceiving the university staff as “controls around the process of changing vendor banking information were inadequate”.
2. Use an email intrusion detection system.
This automated system can flag emails with extensions that are similar to your organization’s email. For example, an intrusion detection system for legitimate email of xyz-corporation.com can flag bogus emails from xyz_corporation.com.
Steve E. Driz, I.S.P., ITCP