Overview

Invoice redirect fraud, commonly known as Business Email Compromise (BEC), is a sophisticated scam targeting both businesses and individuals performing wire transfer payments. The scam typically involves the attacker compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.

Brief History

The phenomenon of Business Email Compromise (BEC), while seemingly a product of our digital age, has roots that trace back further than one might expect. The evolution of BEC offers a fascinating glimpse into the adaptability of fraudsters in response to technological advancements and changing business practices.

Pre-Internet Era

Before the rise of the internet, business fraud often took the form of letter or fax-based scams. These scams, while more labor-intensive and slower, operated on principles similar to BEC. Fraudsters would forge official-looking documents or letters, impersonating vendors or business partners, and request payments or changes to payment details. The lack of instant communication made verification more challenging, allowing these scams to occasionally succeed.

The Dawn of Email

With the advent of email in the late 20th century, businesses found a faster and more efficient means of communication. However, this also provided fraudsters with a new avenue for deception. The early forms of BEC were rudimentary, often riddled with spelling and grammar errors. But as email became the primary mode of business communication, the quality and sophistication of these scams improved.

2000s: Recognizing the Threat

The 2000s saw a surge in cybercrimes, with BEC becoming a notable subset. The FBI and other international law enforcement agencies began to identify and categorize these scams. It was during this period that the term “Business Email Compromise” was coined to describe these targeted email-based frauds.

2010s: The Rise of Spear Phishing and CEO Fraud

As businesses became more aware of generic phishing threats, attackers adapted by making their attempts more targeted. Spear phishing, where specific individuals or companies are targeted based on researched information, became more prevalent. A particularly insidious form of this was “CEO Fraud,” where attackers would impersonate high-ranking executives to authorize fraudulent transfers. The success of these attacks often hinged on the perceived authority of the impersonated individual and the urgency of the request.

Recent Years: Adaptation and Diversification

With increased awareness and improved cybersecurity measures, BEC attackers have had to become even more innovative. Recent trends include:

• Vendor Email Compromise (VEC): Here, attackers compromise the email accounts of vendors and send fraudulent invoices to their clients.
• Automated Attacks: Using bots and automated scripts to send out BEC attempts on a massive scale.
• Integration with Other Cybercrimes: Combining BEC with ransomware or malware attacks to maximize potential profits.

Types of BEC/Invoice Redirect

Bogus Invoice Scheme:

• • Description: This is one of the most common forms of BEC. Attackers pose as vendors or suppliers and send fake invoices to companies. These invoices often come with new bank account details, directing payments to accounts controlled by the fraudsters.
  • Example: A company’s finance department receives an email, seemingly from a long-term supplier, stating that their banking details have changed and future payments should be directed to the new account.

CEO Fraud:

• • Description: In this type of attack, cybercriminals impersonate high-ranking executives, such as the CEO or CFO. Using the perceived authority of these roles, they request urgent wire transfers or sensitive information.
  • Example: An assistant receives an email, apparently from the CEO, urgently requesting a wire transfer to a new vendor for a confidential deal.

Account Compromise:

1. • Description: After gaining access to a corporate email account, attackers use it to request invoice payments from vendors listed in the compromised account’s contacts. Since the email comes from a legitimate account, it often goes unquestioned.
   • Example: An attacker compromises the email account of a company’s procurement officer and sends requests to vendors for urgent payments, directing them to a new bank account.

Attorney Impersonation:

1. • Description: Attackers pose as lawyers or representatives of law firms, claiming to be handling confidential or time-sensitive matters. They often pressure the victim to act quickly, leveraging the urgency and sensitivity of legal matters.
   • Example: A company’s HR department receives an email from a “law firm” claiming they need immediate payment to handle a sudden, confidential legal dispute.

Data Theft:

1. • Description: Instead of directly seeking financial gain, attackers target individuals in HR, bookkeeping, or executive roles to obtain sensitive data. This data can be used for further BEC attacks, sold on the dark web, or used for identity theft.
   • Example: An HR representative receives an email, seemingly from a company executive, requesting a list of all employees, their Social Security numbers, and their salary details.

Vendor Email Compromise (VEC):

1. • Description: This is a newer form of BEC. Instead of directly targeting the company, attackers compromise the email accounts of vendors and then send fraudulent invoices to their clients.
   • Example: A company regularly does business with a particular vendor. The vendor’s email gets compromised, and the attacker sends a fake invoice to the company for a recent transaction.

Payroll Diversion:

1. • Description: Attackers, posing as employees, contact the HR or payroll department to reroute their direct deposit payments to a bank account controlled by the fraudster.
   • Example: An HR representative receives an email from an “employee” stating they’ve changed banks and provides new account details for their direct deposit.

Techniques Used in BEC

Social Engineering:

1. • Description: This involves manipulating individuals into divulging confidential information or performing specific actions. BEC attackers often research their targets extensively to make their deception more convincing.
   • Example: An attacker, having learned that a CEO is on vacation, sends an email to the finance department posing as the CEO, requesting an urgent wire transfer.

Email Spoofing:

1. • Description: Attackers create emails that appear to come from a trusted source by altering the email headers. This can involve using a domain name that’s visually similar to the target company’s domain.
   • Example: An email appears to come from “[email protected]” instead of the legitimate “[email protected]“.

Domain Squatting:

1. • Description: Attackers register domain names that are similar to the target company’s domain. These domains are then used to send deceptive emails.
   • Example: If the legitimate domain is “example.com”, the attacker might register “exarnple.com”.

Malware Infiltration:

1. • Description: By sending malicious attachments or links, attackers can install malware on a victim’s computer. This malware can then be used to monitor the user’s activity, capture keystrokes, or gain access to sensitive information.
   • Example: An email, seemingly from a trusted vendor, contains an invoice attachment. When opened, it installs malware that records the user’s keystrokes.

Content Injection:

1. • Description: Attackers insert malicious content into legitimate communications or websites. This can involve altering the content of legitimate emails or web pages to deceive users.
   • Example: During an ongoing email conversation between a vendor and a company, an attacker intercepts a legitimate invoice email, changes the bank account details, and then sends it on to the intended recipient.

Man-in-the-Middle Attacks:

1. • Description: Attackers secretly intercept and relay communication between two parties. They can alter the communication before sending it on, making both parties believe they are communicating directly with each other.
   • Example: An attacker intercepts emails between a company and its supplier, altering payment details before forwarding the emails.

Credential Harvesting:

1. • Description: Attackers use various methods, such as fake login pages, to capture a user’s login credentials. Once obtained, these credentials can be used to access sensitive systems or information.
   • Example: An email directs a user to a fake Office 365 login page. When the user enters their credentials, they are captured by the attacker.

Pretexting:

1. • Description: This involves creating a fabricated scenario (or pretext) to obtain information from a target. It’s a form of social engineering where the attacker often pretends to need specific information to confirm the identity of the person they’re talking to.
   • Example: An attacker calls a company’s HR department, claiming to be from IT and stating they need to verify the employee’s login details for a system upgrade.

1. Educate Your Customers and Staff:
   • Awareness Campaigns: Regularly inform customers and employees about the dangers of BEC through emails, newsletters, or seminars.
   • Provide Real Examples: Share actual cases or mock-ups of BEC attempts to help them recognize such scams.
2. Verify Changes in Vendor Payment Details:
   • Double Confirmation: Always verify changes in payment details with a secondary means of communication, such as a phone call to a previously known number.
   • Suspicion: Train staff to be suspicious of urgent or confidential requests for fund transfers.
3. Implement Advanced Email Security:
   • SPF, DKIM, and DMARC: Use these protocols to validate and authenticate emails, making it harder for attackers to spoof your domain.
   • Email Filtering: Use advanced email filtering solutions to detect and block suspicious emails.
4. Multi-Factor Authentication (MFA):
   • Implement MFA for email accounts and financial transaction systems. This ensures that even if login credentials are compromised, unauthorized access is prevented.
5. Regularly Monitor and Audit Transactions:
   • Anomaly Detection: Use systems that can detect unusual transaction amounts or patterns.
   • Regular Reconciliation: Regularly reconcile accounts to detect any unauthorized transactions.
6. Maintain a Secure Communication Protocol:
   • Defined Procedures: Have clear procedures for invoice processing and changes to payment details.
   • Confidentiality: Remind staff not to share details about internal processes, vendors, or payment procedures on social media or external platforms.
7. Limit Access:
   • Role-Based Access Control (RBAC): Ensure that only employees who need access to financial systems have it, and at the appropriate level.
   • Regular Audits: Periodically review who has access to sensitive systems and adjust as necessary.
8. Train Employees:
   • Simulated BEC Attacks: Periodically test your employees with mock BEC emails to ensure they can recognize and handle them appropriately.
   • Regular Training: Offer training sessions to keep employees updated on the latest BEC tactics.
9. Stay Updated:
   • Threat Intelligence: Subscribe to threat intelligence feeds or services to stay informed about the latest BEC techniques and indicators of compromise.
10. Backup Important Data:
    • Ensure that all essential data, including transaction logs and correspondence, are backed up securely. This aids in investigations and recovery if needed.
11. Establish a Reporting Mechanism:
    • Incident Response: Have a clear procedure for employees to report suspected BEC attempts.
    • Feedback Loop: Inform customers if they inadvertently alert you to a BEC attempt targeting them, reinforcing their trust in your business.
12. Collaborate with Financial Institutions:
    • Alert Systems: Work with your bank to set up alerts for unusual or large transactions.
    • Verification Protocols: Establish protocols with your bank to verify the authenticity of requests for fund transfers.

Real Case Studies

Toyota Boshoku Corporation (2019):

1. • Overview: Toyota Boshoku, a subsidiary of the Toyota Group, fell victim to a BEC scam that resulted in a loss of approximately $37 million.
   • How it Happened: The finance department received an email that appeared to be from a Toyota executive, requesting a change in account details for a payment to a trading partner. Without verifying the authenticity of the request, the payment was made to the fraudulent account.
   • Aftermath: The company acknowledged the breach and began working with law enforcement. They also committed to enhancing their internal controls to prevent future incidents.

Scoular Company (2014):

1. • Overview: Scoular Company, an American employee-owned commodities trader, lost $17.2 million to a BEC scam.
   • How it Happened: Over several transactions, the company’s controller was tricked by emails that appeared to be from the CEO, instructing him to wire funds to a Chinese bank.
   • Aftermath: The scam was discovered when the CEO and the controller spoke directly, but by then, the funds had already been transferred and were unrecoverable.

MacEwan University (2017):

1. • Overview: MacEwan University in Edmonton, Canada, was defrauded of CAD 11.8 million (approximately $9 million USD) through a BEC scam.
   • How it Happened: Fraudsters, posing as a construction company that had previously worked with the university, sent emails asking for payment details to be changed. The university complied, resulting in multiple payments being sent to the fraudulent account.
   • Aftermath: The university managed to recover most of the funds after realizing the scam. They also implemented enhanced internal financial controls and practices.

Belgian Bank Crelan (2016):

1. • Overview: Crelan, a cooperative bank in Belgium, suffered a loss of €70 million (approximately $75 million USD at the time) due to a BEC scam.
   • How it Happened: Details of the exact method used by the attackers were not fully disclosed, but the bank acknowledged that it was a sophisticated scheme involving manipulated computer systems.
   • Aftermath: Crelan announced that no customer data or funds were affected, and the loss was absorbed by the bank. They also invested in advanced cybersecurity measures following the incident.

Pathé Film Theater (2018):

1. • Overview: The Dutch branch of the international cinema chain, Pathé, lost €19.2 million (approximately $21.5 million USD) to a BEC scam.
   • How it Happened: The attackers posed as executives from the French parent company of Pathé and requested multiple transfers over a month. The emails were so convincing that even after some transactions were flagged by the bank, they were still approved by the company.
   • Aftermath: The Dutch branch’s managing director and CFO were both dismissed from their positions, even though they were victims of the scam. The incident highlighted the importance of training and awareness at all corporate levels.