The CEO/BEC Scam: How Criminals Target Emotions

The Infosec community gained important perspectives from the 2019 Verizon Data Breach Investigations Report (DBIR). From reading the statistics in the report, it’s clear that social attacks are a top threat facing organizations. Of the 2,013 confirmed breaches, 33% included social attacks. In a social attack, criminals target our emotions using social engineering tactics.

As an example, in what is known as a CEO or Business Email Compromise (BEC) scam, criminals target our emotion of obedience, our inherent response to obey a person in authority.  Criminals know this emotion will influence you to carry out what your ‘boss’ requests, whether it’s transferring funds to a new account, buying gift cards, or wiring payments to a new vendor.

The statistics and analysis from the DBIR are valuable because they provide actionable data that raises awareness. For the third consecutive year, our corporate organization, Social-Engineer, LLC, is honored to have contributed data to the Verizon DBIR. It is rewarding to know that this contributed data helps enterprises have a clearer understanding of the threat actions facing them.

Criminals target our emotions
For the third consecutive year, Social-Engineer, LLC is honored to have contributed data for Verizon DBIR.

For each statistic, there is a person and a story.  In this month’s newsletter, our goal is to shine a spotlight on the victims of social attacks. Although the following story is not connected to the statistics from the 2019 DBIR, it highlights how an employee is affected when they fall victim to a CEO/BEC scam and the possible consequences.

The Human Story—How Criminals Target Emotions

This story centers on Patricia Reilly.  Patricia worked as a credit controller in the accounting department for Peebles Media, a publishing company in Scotland. The Managing Director (the UK equivalent to CEO) of Peebles Media, Yvonne Bremner, left to enjoy a week’s vacation in the Canary Islands. With the Managing Director away on holiday, perhaps everyone in the company anticipated a quieter week than normal. However, events quickly turned Patricia’s week into a nightmare.

Throughout the week, Patricia received several emails purportedly from ‘Yvonne.’ The first email from ‘Yvonne’ requested a payment transfer in the amount of £24,800 to a company.  Patricia sought out her immediate supervisor, for collaboration, and made the online payment. Three days later, ‘Yvonne requested another online payment to be made of £75,200. This time, Patricia could not collaborate with her immediate supervisor, as she was away on vacation as well.  Patricia chose to make the online payment.  Altogether, she transferred a total of £193,250.

Rosemary, a colleague of Patricia, logged into Peebles Media’s online bank account and noticed a fraud warning. She told Patricia about it and contacted the Managing Director, Yvonne in the Canary Islands.  Yvonne confirmed that the emails Patricia had been receiving were not from her and were in fact bogus.

The Affects and Consequences When Criminals Target Emotions

How would you feel if you learned you had transferred company funds to fraudsters?  How was Patricia affected? She says she nearly passed out upon learning that she had been scammed. She also suffered panic attacks and was sick for a period of time.

Ultimately, Patricia was dismissed from her employment at Peebles Media. Although bankers refunded Peebles Media £85,268.28 of the stolen funds, Peebles Media is suing Patricia for negligence and seeking the remaining sum of £107,984 from her. Patricia says she felt shell-shocked when she learned of the lawsuit against her.  Because of the lawsuit, Patricia has had difficulty finding new employment.

Patricia says she did not receive adequate training to identify online fraud.  She initiated legal proceedings against Peebles Media for unfair dismissal.  However, she dropped her lawsuit because she had an even more painful situation at home that needed her attention.  Her late partner, John Kelly, was dying of Motor Neurone disease and needed her care.

criminals target our emotions
Patricia Reilly, (Andrew Cawley).

The Human Story is Important

Knowing the human story is important for several reasons. Patricia’s story puts a real face on the statistics that we read about.  It also broadens our understanding of the price paid in a social attack. We often think of the financial cost to the company and rightly so. However, Patricia’s story reminds us that the cost of a social attack is not just financial. It also includes the mental and emotional distress that victims of fraud suffer.

Additionally, it increases our understanding of how criminals use social engineering to execute their attacks and underscores the urgency of implementing security training.

The CEO/BEC scam continues to collect victims. The 2019 Verizon DBIR reports that these attacks represented 370 incidents, of which 248 were confirmed breaches.

Patricia’s story, however, does not have to be your story. Security training and awareness should not be an afterthought. It must be a core company value. And, it should include everyone in the company, even contractors.

Special Targets of the CEO/BEC Scam

If you an employee who works in such fields as accounting, human resources, or payroll, know that you are a special target in the CEO/BEC scam.  A common tactic in the CEO/BEC scam is launching the attack while the CEO is away from the office. So be especially wary of any email communication requesting money transfers or payments while the CEO is away.  If you do, the FBI recommends the following actions:

    • Have face-to-face or voice-to-voice verification and do not rely on just email alone.
    • Confirm requests for transfers of funds by using phone verification as part of a two-factor authentication; use previously known numbers, not the numbers provided in the e-mail request.
    • Scrutinize all emails that request transfers of funds to determine if the requests are out of the ordinary.

If you are a leader, you are also a target in the CEO/BEC scam.  Criminals are looking to steal your email login credentials and compromise your email account.  To that end, criminals conduct thorough research on their targets. They mine social media platforms learning all they can about your company structure, news, and policies. The goal of this research is to craft a convincing phishing email that you will interact with.  If you take the bait in the email and click that link to a malicious website, or open that infected attachment, you may now have given the attacker access to your company network and control of your email account.  Imagine the damage criminals could do with your compromised email account.  They can now send believable email communication to your employees in payroll and accounting for money transfers and payments.

If you fail to fall for their phishy emails, criminals will create a look-alike or “spoofed” domain of your email account such as:

[email protected] instead of john.smith@abc_company.com

Counteract the Attack with Security Training

Do you see the urgent need to implement ongoing and effective training specific to this scenario? It’s so important, because employees who understand this threat are more likely to report suspicious activity. The FBI provides these recommendations:

    • Create intrusion detection system rules that flag e-mails with extensions that are similar to your company e-mail. For example, legitimate e-mail of abc_company.com would flag fraudulent e-mail of abc-company.com.
    • Create an e-mail rule to flag e-mail communications where the “reply” e-mail address is different from the “from” e-mail address shown.
    • Color code virtual correspondence so e-mails from employee/internal accounts are one color and e-mails from non-employee/external accounts are another.

The More You Know—The Safer You’ll Be

The more you know about social engineering, the better equipped you will be to protect yourself and your organization. To that end, would you like to increase your knowledge about the psychological and physical aspects associated with social engineering? At Social-Engineer.Org, our mission statement is, “Security Through Education.”  The Social-Engineer Framework is an excellent, free to use resource. We invite you to explore it and learn more about the social engineering tactics criminals use to target our emotions.

Written By: Social-Engineer

Sources: 
https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf 
https://www.social-engineer.org/framework/general-discussion/social-engineering-defined/ 
https://www.trendmicro.com/vinfo/us/security/definition/business-email-compromise-(bec
https://www.social-engineer.org/framework/influencing-others/influence-tactics/authority/ 
https://www.social-engineer.com/ 
https://www.social-engineer.org/category/newsletter/ 
https://www.sundaypost.com/fp/duped-sacked-now-sued-firm-demands-108k-from-worker-tricked-by-fraud-gang/ 
https://www.bbc.com/news/uk-scotland-glasgow-west-47161340 
https://www.bbc.com/news/uk-scotland-glasgow-west-47135686 
https://www.social-engineer.com/dont-pay-the-price-is-your-company-prepared-for-invoice-fraud/ 
https://www.social-engineer.com/social-engineering-services/ 
https://www.social-engineer.com/the-verizon-dbir-the-c-suite-is-under-attack/ 
https://www.social-engineer.org/framework/attack-vectors/phishing-attacks-2/ 
https://www.fbi.gov/news/stories/business-e-mail-compromise-on-the-rise 
https://www.social-engineer.org/framework/general-discussion/ 

Image: Verizon Data Breach Investigations Report 

Image: https://www.sundaypost.com/fp/duped-sacked-now-sued-firm-demands-108k-from-worker-tricked-by-fraud-gang/