Business Email Compromises are No Myth
Real-life examples of BECs
If you have been following the news, you should know that we are all at risk of Business Email Compromises (BEC). You may be growing tired of hearing this fact although it is a fact that we need to keep in the front of our minds at all time! Timing is a factor that these cybercriminals are continually accessing and know how to attack when your guard is down. Below are real-life examples of BECs that illustrate how easily these attackers researched, planned and struck at the right time and were able to victimize educated, experienced business people.
Mattel: Barbie’s Dream House doesn’t even add up to the amount that Mattel lost in this sophisticated phishing scam.
This phishing scam was a sophisticated attack. Soon after a CEO change at Mattel, the new CEO’s email was compromised. An email which appeared to come from the CEO to a finance executive requested a $3-million wire transfer to be made to a bank in China. Since the company’s protocol is to have approval from two managers, the finance executive believed she was following protocol and immediately wired the funds. Fortunately for Mattel, luck was on their side. They figured out that request was a scam within a couple hours and the transfer luckily occurred on a bank holiday which bought Mattel some time to investigate. Due to their quick response, the funds were retrieved. These scammers had definitely done their due-diligence. They knew the protocols and the company hierarchy and were able to find a weakness, and when the time was right, they hit Mattel with a strong attack. Mattel was lucky with this attack and fortunately because of this experience, they were able to defend against multiple future phishing attacks.
Ubiquiti: What was lost here makes Mattel’s loses look like pocket change!
The definite trend with these scams is timing and sophistication. Ubiquiti’s instance of BEC included emails that came from the company’s attorney requesting confidential and urgent payment as an acquisition was taking place. Typically, amounts of this size, coming from a publicly traded company, require two-person approval. But, with bad judgment from the Chief Accounting Officer and because this was to remain confidential, he approved all 17 of the transfers equally $46.7 million. To make matters worse, the email appeared to come from the attorney’s office, but if it had been adequately investigated, it actually had the individual’s name @consultant.com. To add gas to the fire, they did not find out about the fraudulent charges until contacted by the FBI as the FBI had been following the transfers. Needless to say, Ubiquiti did not come out on top and and was not able to recover $30 million of the $46.7 million.
Pivotal Software: W-2 and Business Email Compromise equals a great deal of danger and mistrust.
In this attack against Pivotal Software, the cybercriminal, through Business Email Compromise was able to impersonate the company’s CEO, Rob Mee and send an email to an employee in payroll. The email requested the W-2 tax information for all United States Pivotal employees. Thinking the email was coming from the CEO, the employee sent all information. Once submitted, there was obviously no recovery of the data, and all affected employees were notified over a company memo urging them to file taxes as soon as possible and basically hope for the best!
As you can see, Business Email Compromise attacks can be infinitely sneaky and can con even the most experienced business-people to become a victim. BECs can cost your business money, and trust and education is the best way to combat these sophisticated attacks. Our Pendello team witnesses these attempts daily so reach out to our experts to learn how to equip your team better to know what to be vigilant of when dealing with daily communications.