Business email compromise Part 2: Implications of an attack

Part 1 of this article drew a clear picture on what business email compromise (BEC) is, the ways to detect it, and how to defend against it when it’s encountered. In case you missed it, you can read that article here.

Part 2 will discuss how a BEC presents itself. If you’re not careful enough, it can wreak havoc on your business in many ways, both morally and financially.

How a business email compromise looks

A client sought accounting help from a third-party vendor. The vendor finished their job per the client's request. Now it was time for the client to pay $3,500 as outlined in their initial agreement.

The client received an invoice from the vendor’s official email address—or at least it looked like that. The invoice had all of the necessary banking information that the client needed to proceed with the payment.

Below is the email received by the client.

Subject: Payment due

Hello,
This is John from YYY finances and solutions. I am attaching an invoice for $3,500 to this email for the accounting solution we provided for the ZZZ project we completed for you.

Please proceed with payment before EOD today.

Regards,
John
Head of finance in YYY finances and solutions

This email is highly personalized by the BEC scammers and is tailor-made to this client. It contains the exact amount owed by the client ($3,500), it urges the client to act quickly (proceed with the payment before EOD) and, finally, this email establishes authority (head of finance in YYY finances and solutions) so that the client won't press for validation and catch on to the evil schemes of this scammer.

The client paid $3,500 dollars to a bank account controlled by the scammers. The real vendor then reached out to the client regarding the payment. It was only then that it dawned on the client that they had fallen victim to a BEC scam.

The client ended up paying again to the actual vendor after losing a court case. The court dismissed the client’s plea because BEC is a scam, not a case of getting hacked, so there was no way to cut the losses by making an insurance claim.

The real implications of business email compromise

A successful BEC attack stuns the entire business by compromising their email. It isn’t contained to just one person. A whole slew of consequences will follow that business and getting out of it unscathed or with minimum damage is a daunting task.

A dent in a company’s reputation

The first and the obvious thing a business loses after experiencing a BEC attack is the toll it takes on their reputation. Vendors, clients, and potential investors don’t want to have their data potentially compromised by associating themselves with a victim company.

It won't take long for the word to spread before existing clients will also renounce the victim business in order to protect their own sensitive data. It would've taken years for that business to build its reputation from the ground up, but the entire thing can be undone by just one successful BEC attack.

A huge financial loss

Just like every other scam in the world, the ultimate goal of a BEC scam is to extort money from its victims. A successful attack can have serious financial ramifications that can cripple just about any business on a large scale.

The scammers, if they gain access to the email account of a higher-ranking officer, can access their bank accounts using the credentials stored in their email. The scammer can then transfer funds to their own bank account, leaving behind a crushing debt on the business.

A loss of employee trust and morale

Barring a miracle, if a business manages to shake the financial losses and the hit their reputation took, this outcome ought to be a deal breaker and something much harder to recover from. The employees cannot be hard-pressed to stay with a company that couldn’t even protect the personal data they entrusted the company with.

This will spell huge trouble because if the employees begin resigning in droves and the company is unable to hire new employees, the business could go under. The business may also be forced to lay off some of its employees to cover for the financial loss they endured because of the BEC attack.

Remember, a BEC attack is a sneaky email sent with the sole purpose of masquerading as a CEO or other high-ranking official to extort money from unsuspecting employees.

Real-life BEC attack examples

Let’s take a look at some of the high-profile organizations who’ve fallen victim to BEC attacks.

Google and Facebook

Between 2013 and 2015, tech titans Google and Facebook both fell for one of the biggest BEC scams and collectively lost about $121 million. The BEC scammers impersonated a Taiwanese hardware supplier who was the regular supplier for these companies. They created fake invoices and Google and Facebook ended up paying them by transferring money to banks controlled by the scammers.

Toyota Boshoku Corporation

The scam cost the European subsidiary of Toyota a whopping $37 million. The BEC scammers posed as one of the business partners of the company. The scammers then sent very personalized emails to Toyota Boshoku Corporation requesting funds to be sent to a specific bank that was controlled by the scammers.

The security experts at Toyota actually spotted this scam but it was already too late since the money was already transferred to the scammer's bank.

The government of Puerto Rico

This particular attack shows that even governments aren’t safe from BEC attacks. Puerto Rico was reeling from a 6.8-magnitude earthquake. This was when Ruben Rivera, the director of the government's industrial development company was duped into sending $2.6 million to a fraudulent bank account.

The BEC attack originated from a compromised email from the department of employment retirement system. However, the FBI were quick on their feet and froze the stolen money before it was lost forever.

Wrapping up 

As mentioned above, some of the most successful BEC attacks have cost the organization upwards of many millions. Given the magnitude these attacks have, the onus is on companies to keep their networks secure and choose a secure cloud email service.