In a global sting, named Operation reWired, authorities in the US and around the world have arrested 281 individuals that were involved in a global Business Email Compromise (BEC) scam. The ring had been under investigation for months, during which they were found to have hijacked email accounts belonging to company executives, impersonated staff and ultimately tricked unsuspecting employees into wiring millions in funds into the group’s accounts.
Business Email Comprimise scams (also known as CEO Fraud) are on the rise, with the FBI reporting over 350,000 cases of BEC scams in 2018 alone, totalling more than $1 billion in losses. In 2016, Meath County Council mistakenly transferred €4.3 million to cyber criminals, before law enforcement agencies were able to freeze the accounts and attempt to recover the funds.
In this latest case of Business Email Compromise, organisations such as a community college, an energy company and a health-care provider were among dozens affected. Several US government agencies were involved, in conjuction with authorities in Nigera, Turkey, Ghana, France, Italty, Japan, Kenya, Malaysia and the UK.
“We will continue to work with our international, federal and state partners to pursue all those responsible for perpetrating this fraud, preying on innocent victims and attempting to cheat the U.S. out of millions of dollars” said the chief of the IRS Criminal Investigation team in a statement.
Of the 281 arrests, 167 of them took place in Nigeria alone, with 74 people being arrested in the US.
The ring was described as highly sophisticated, gaining access to the email accounts of business executives through means of hacking and social engineering. Once they could pose as an executive, they would often then email staff in the financial department, pretending to be the executive. Further social engineering techniques were then employed to trick staff into executing wire transfers directly into the fraudsters’ accounts.
So how do I protect my organisation from BEC scams?
The key here is that the hackers aren’t directly attempting to access your company’s bank accounts; they are going through your staff. As technological security measures get ever more complicated, more and more criminals are turning to social engineering to exploit the human element and bypass your security.
The most crucial step you can take to protect your business from scams such as these is to ensure staff are educated on the risks that are out there, learn how to recognise social engineering when they see it and can appropriately react to it.
One of the simplest measures that can prevent BEC and other forms of email-based social engineering attacks is to call the person directly or speak to them face-to-face if you get an email that is in any way out of the ordinary (ie. directs you to make a payment to an account that you haven’t previously).
If the request is genuine, they will be able to confirm it. If not – then you will have avoided lining the pockets of criminals with hard-earned company funds. Cyber criminals know this, and one of their social engineering techniques will be to convey that they (posing as the CEO) are in a meeting or are otherwise occupied so you don’t attempt to call them, while the transfer is urgent and must be done straight away. Learning how to spot signs such as this, as well as implementing company procedure when it comes to requesting transfers, can be the difference between getting scammed or not.
At Tech Guard, we understand that staff training is the only way to protect an organisation against social engineering techniques, used in BEC, phishing and many more forms of cyber attacks. All employees, from the CEO to the receptionist, should learn how to recognise social engineering. A company is only as secure as its weakest link – and the weakest link is often an unsuspecting colleague.
Speak to us today to learn more about how security awareness training can help your company, and get a demo or quote.