New BEC scam targeting HR departments to swindle salaries unearthed
22 January 2019
The world woke up to the rising threat posed by BEC scams (Business Email Compromise) last year when the FBI revealed that such scams cost businesses up to $7.23 billion (£5.50 billion) in losses between January 2017 and May 2018.
In the period, fraudsters carried out as many as 38,414 BEC attacks, roughly the same as the number of BEC attacks that took place in the previous four years, thereby signifying how productive and popular this attack method had become for online fraudsters and scammers.
A Business Email Compromise (BEC) attack is a scam that involves hackers masquerading as CEOs or high-ranking company officials or business partners to target unsuspecting employees who have access to company finances and trick them using social engineering and phishing tactics. This way, fraudsters are able to convince targeted employees into making wire transfers to bank accounts thought to belong to trusted partners.
According to security firm Proofpoint, BEC attacks are highly targeted, don’t include attachments or URLs, arrive in low volumes, and impersonate people in authority, and as such are quite difficult to detect and stop with traditional security tools.
“Email has become a top attack vector for BEC/EAC attackers because it is a much more effective, easier path for them to navigate than hacking into a targeted organization’s infrastructure. No matter what an organization’s security architecture looks like, attackers are adept at using two of the most powerful information tools of our era—LinkedIn and Google—to conduct reconnaissance on potential individuals to target,” said Ryan Kalember, SVP Cybersecurity Strategy at Proofpoint.
BEC attack targeting HR personnel to update salary accounts
According to email security solutions provider Agari, a new kind of a BEC scam has emerged that involves fraudsters targeting the HR or payroll departments at companies by masquerading as existing employees and asking the departments to update their bank accounts. This way, the fraudsters are able to swindle salaries that are credited to employees’ accounts at the end of the month.
“Like what happens in most other business email compromise attacks, these adversaries set up a temporary email account and switch the display name to the name of the individual they are attempting to impersonate. Once the fraudulent account has been created, an email is sent to someone within the payroll organization—typically within the finance or human resources departments.
“In this initial email, the attacker requests to make a change to their existing payroll direct deposit account details and asks what is required to process the change. By avoiding third-party systems and asking for help from the human resources employee, the threat actor can control the entire situation and successfully divert pay into the fake account they own. Depending on how the real employee checks their bank account, this scheme can continue for weeks, or even months, before the attack is caught,” the firm noted.
“Assuming the identity of the CEO seems to be the preferred tactic for the threat actors, but there is no reason that this type of attack cannot utilize the identity and role of any employee within a company. As the primary aim is to divert a monthly salary payment to a bank account the criminal gang controls, it’s logical they would ideally purport to be those most likely to receive the highest compensation,” it added.
Firms must review payroll policies to prevent fraud
Agari suggests that in order to prevent fraudsters from successfully carrying out such scams, organisations must evaluate their current processes for updating payroll details and must ensure that employees much check email addresses of senders before completing a request.
Commenting on this new trick being employed by scammers to swindle salaries of employees at targeted organisations, Corin Imai, senior security advisor at DomainTools, says that even though diverting funds by pretending to be an employee is a relatively new tactic, it still makes sense as HR departments have always been a highly valued target for fraudsters due to the readily accessible PII and financial details.
“Employees changing bank accounts is a relatively common occurrence, and making sure people get paid is a top priority for any HR department, which may lead them to overlook tell-tale signs of a fraudulent email. The advice remains the same when it comes to BEC fraud: Check with the individual involved and follow organisational protocol. It’s better to be slightly later in paying than to willingly pay a criminal. Don’t let yourself become the human vulnerability,” he adds.