Business deals used to be closed with ink on paper and a firm handshake, but in our digital age many deals now close by the click of a mouse, with two parties not looking eye to eye to but instead hitting “reply” to an email.
Unfortunately, these transactions at the speed of business―as the cliché goes― have now given way to fraud at the speed of business. In recent years scammers have begun perfecting the “Business Email Compromise” or BEC scam, that involves an imposter email sneaking into an executive’s inbox at the perfect moment to snatch a wire transfer right out of the company’s coffers.
In 2016 such a scammer, had “spoofed” an email to impersonate that of an officer in a Utah business, and after having secretly monitored email traffic for the company knew the exact moment to send wire instruction to another company representative. As a result $58,500 was wired out of the company at the click of a button to an account for the official sounding Allied Logistics Group. The money was then drawn out and the bank account quickly vanished.
Luckily, in that case, the business owner reached out to the FBI and the alleged scammer is facing federal court charges in Salt Lake City. But this scam is so insidious because many companies don’t report being duped for fear doing so would damage their reputation.
Clicked and compromised
Cybersecurity companies in Utah say they’ve seen how bad these scams and warn that they’re only getting worse. For Jeff Smith, executive vice president of Secuvant, a cybersecurity firm in West Jordan, it’s not just big companies that need to be worried anymore.
“The bullseye has moved from the big banks and companies like Target and Home Depot,” says Smith. “Those guys got dinged five years ago and they’ve hardened their systems. Now it’s the small and mid-size guys that didn’t think they were a target. Now, they’re the target.”
Other things have changed too, phishing attacks (that try to get people to click on strange links) used to be laughable but scammers have graduated from Nigerian princes to much more sophisticated methods. Hackers now infiltrate a company’s network and instead of doing a grab and dash of data, they’ll lurk instead.
“They watch the network, they don’t strike right away,” says Greg Spicer, chief revenue officer with Braintrace, a cybersecurity firm headquartered in Salt Lake City. “They watch and learn people’s kids’ names, dogs’ names. Eventually it gets to the point they set up a fake email from CFO saying. “Hey I’m traveling this week, just wire the funds to this account and oh by the way how’s your dog? How was your kid’s soccer game last week?”
Preparation is key
Smith says that once his company was hired as an outsourced Security Operations Center for a company and was allowed to watch internal movement in the company’s system. They caught how scammers had actually duped the company’s own IT head. The man was in the process of buying a new home so he was getting lots of digital closing documents to sign, and scammers slipped a fake one in under his nose.
Both Smith and Spicer say the defenses against BEC aren’t just technological. Staff need to be trained to watch out for the latest tricks. They recommend all companies enact policies to never wire money without confirming with the other party over the phone as well as by email.
Both companies offer special custom services and extoll the virtues of an outsourced security service monitoring network traffic. Smith says in other BEC scams hackers will worm into account systems, set themselves up as vendors and collect monthly checks for years before they get noticed—a BEC scam variation that’s hard to spot without close monitoring.
Both firms have their own labs that test out the latest information security technology. Spicer notes their company has just developed proprietary tech they call “DragonFly.”
“The tool uses machine learning and behavioral analysis so it get smarter as it goes and watch network traffic,” says Spicer.
Smith says that outsourcing the security operations can mean a company pays a subscription fee costing several thousand dollars a month, but it’s still cheaper than hiring a full-time employee, and it will keep a company abreast of the latest scams and how to defend against them.
“You can’t just put a wall up and say ‘we’re good,’” says Smith. “It’s a dynamic process. The bad guys are changing their tactics all the time, they’re changing how their emails look and how they deliver malware.”