Phishing For Corporate Dollars: The Emerging Global Threat Posed By Spear Phishing And Business Email Compromise

In August 2015, the FBI issued an alert describing the newest form of cyberattack—the Business Email Compromise ("BEC").i BEC is a sophisticated mutation of the now-common spear phishing data breach technique.ii In a BEC scam, a hacker often impersonates a high-ranking corporate executive and sends a "spoofed" emailiii to a carefully selected target who generally has access and authority to transfer large sums of money on behalf of the company. Unlike traditional phishing schemes, BEC scams are well researched. Successful hackers troll the social media sites of the target employee, review corporate web pages for contact information, and read professional writings to better understand the corporate culture as well as the individual characteristics of the target employee, all with the goal of convincing that employee to part with the company's cash. Consider the following three scenarios (all based on actual cases reported to the FBI):

A corporate accountant receives a spoofed email that appears to be from the CEO of the company requesting an urgent wire transfer relating to a top secret acquisition. The email contains instructions to wire corporate funds to a new bank account of a known business partner at an offshore bank. The accountant, wishing to appear responsive to her boss, drops everything and wires the funds immediately. By the time the accountant and CEO speak in person and realize the error, the money is long gone from the fraudulently opened offshore bank account.iv A business receives a fraudulent invoice from what appears to be a longstanding supplier requesting that the next payment be sent via wire to an alternate account. The spoofed email contains a PDF file of an invoice that appears to be from the trusted supplier, and the email text and header information appear to contain the hallmarks of an actual business communication from the supplier. Because the supplier is located overseas and in a different time zone, it is common practice that communication about payment of invoices be done electronically, rather than verbally. The unsuspecting business wires the funds to the new account, and the money disappears almost immediately. Weeks later, the supplier follows up with the business, sending an angry email expressing frustration that the funds were not timely sent. When the two business partners realize the mix-up, it is too late to recover the funds.v An employee's hacked personal email account sends fraudulent invoices to...