R3 Digital Forensics
r3-digital-forensics-logo-stacked-2x.png

R3 Digital Forensics | R3 News & Blog

Firm Announcements and Law Updates

 
 
 
 

The Aftermath of a Business Email Compromise

By Allyn Lynd

Business Email Compromise attacks cause billions of dollars in losses to American businesses, and their impact only grows with each passing year.

In a business email compromise (BEC), criminals send deceptive emails that seem to originate from trusted sources. They exploit this trust by making seemingly legitimate requests, tricking employees into transferring funds or sharing private data with fraudulent accounts. They accomplish this by either taking over a legitimate email account or creating a fake one that closely resembles the original. 

It's one of the most financially damaging online scams due to its sophistication and prevalence. Most organizations focus on preventing BECs through training and financial and technical controls. For example, putting a rule in place that if instructions to change a wire transfer’s recipient is received via email, the sender must verify the new wiring via phone with an already known and trusted phone number and person prior to the wire transfer being authorized, and then training everyone on the rule.

Even with concerted efforts to stop BEC, according to the FBI's IC3 report, losses from BEC attacks more than doubled, with a staggering 111% increase between 2018 and 2022, the last year for which data is available. In 2022 alone, BEC attacks resulted in $2.7 billion in losses, marking a 14.5% year-over-year increase.

The aftermath of a BEC attack can include:

  • Significant financial losses due to fraudulent wire transfers.

  • Compromised sensitive data, such as customer information.

  • Reputational damage, including loss of trust and customer confidence.

  • Legal issues, including potential lawsuits and regulatory fines.

  • Disruption to business operations, such as delays and interruptions in business processes.

  • Increased security measures to prevent future attacks.

Given that prevention isn’t sufficient to stop BEC attacks, companies should be prepared to respond to them as well.

Responding to a BEC Attack

 Several factors should be considered when responding to a BEC attack:

  • Multiple parties involved: This typically includes the organization attacked, the organization(s) they were conducting business with, and the criminal who committed the BEC.

  • Loss of data or money: The criminal likely has possession of lost assets.

  • Interstate communication: Fraudulent activity often involves communication across state lines.

  • Insurance limitations: Losses may exceed insurance coverage.

  • Email compromise: Either the business or the business’ partner likely experienced an email compromise that the scammer exploited.

  • Recovery challenges: By the time the BEC is discovered, it is often too late to fully recover the missing information or funds. Nevertheless, it is important to make every effort to retrieve lost assets and mitigate damages.

Legal Considerations

Given the difficulty of recovering funds from the criminal, the question becomes how to divide the loss among the affected parties. Ideally, the parties can reach a settlement, but this can be challenging due to the reluctance to accept responsibility for the loss. Therefore, many attempts to find a solution end in civil lawsuits.

Case law is still evolving, but several factors appear to be at play in these cases, including:

  • Proportionate responsibility: Which party was in the best position to prevent the fraud?

  • Due diligence: Did each party act with reasonable care to protect themselves and their partners?

Example of a BEC Attack

Let's examine a common BEC scenario involving mortgage payments at closing:

  1. A real estate developer borrows money from a bank to develop a project.

  2. After completing the project, the developer sells the property and uses an escrow company to transfer funds to the bank to pay off the loan.

  3. Unbeknownst to the developer, the bank suffered an email compromise some time ago, and the criminal is monitoring emails for a high-value transaction.

  4. The criminal spoofs email addresses and inserts themselves into the communication between the developer, the bank, and the escrow company using a man-in-the-middle attack.

  5. The criminal provides the developer with fraudulent wiring instructions. They also tell the bank that the closing has been delayed to prevent them from noticing the missing funds.

  6. The escrow company verifies the fraudulent wiring instructions with the bank using the compromised email account.

  7. The developer transfers the money to the escrow company, sending the funds to the criminal's account.

  8. By the time the fraud is discovered, the criminal has transferred the money overseas, making it untraceable.

  9. The parties involved report the incident to law enforcement and financial institutions, but it is too late to recover the funds.

  10. Insurance may not fully cover the loss, leaving the parties to dispute responsibility in a civil lawsuit.

Factors Influencing Legal Outcomes

In this example, the parties would likely not settle because each party felt that the percentage they were asked to be responsible for was not being divided “fairly.” They also likely did not want the reputational blow for either suffering a fraud or being negligent in their business dealings. These parties had also done business with each other multiple times and, while not wanting to damage future business together, could not easily afford the losses the other parties wanted them to absorb.

One factor in litigation will be what each party did to prevent the BEC. Only one party, the bank, had its email compromised. So, what did they do to prevent the computer intrusion, the root cause of the threat actor's ability to commit the fraud? How long were they compromised before they noticed? What did they do to monitor for email compromises?

In this instance, it had been some months that the criminal had been in their systems without being noticed. For all parties, no one noticed the forged email headers or the changes to the style of text sent by the criminal versus the person they normally dealt with because neither the bank nor the developer had training on spotting BECs. The escrow company did have training and controls designed to prevent the fraud, but they accepted a “trusted” email as a source of wire transfer changes instead of calling for verification, which is a better practice than email.

Finally, after learning of this fraud, the bank noticed a similar closing fraud was occurring on a different account, but it was stopped because the developer was informed by their financial institution that the new transfer looked suspicious. They then contacted the lender via phone to ensure the new wiring instructions were valid, only to find they weren’t. Finally, enough time passed during settlement negotiations that the parties lost some logs and computer evidence because they had not preserved it immediately, not thinking they needed to.

To improve the chances of a favorable legal outcome, organizations should:

  • Provide BEC training: Educate employees on how to identify and avoid BEC scams, particularly in scam-prone industries such as real estate.

  • Implement strong controls: Establish multi-factor authentication, email filtering, and verification procedures for financial transactions. In the example given, the escrow company had controls that proved inadequate and were not in line with best practices. Also, the technical controls meant to prevent intrusion into the bank’s email server appear to have failed, and while indications could be found in the logs, they were not being looked for when the intrusion occurred.

  • Develop an incident response plan: Outline steps to take in case of a BEC attack, including reporting procedures, evidence preservation, and communication protocols. In the example given, because neither the bank nor the developer had an incident response plan, they did not react as quickly as they could have, and they did not preserve the evidence needed to investigate the incident fully. Without an incident response plan, the bank also did not know to look for additional fraud similar to the first fraud, and only through a stroke of luck did it miss experiencing another similar loss. 

  • Monitor for suspicious activity: Regularly review logs and security alerts for signs of compromise. Technical controls that are not monitored are not effective.   

Successful BEC Response

The process for responding to a BEC — or any other security incident — is:

  • Prepare: Get ready for potential threats

  • Identify: Recognize the threat

  • Contain: Limit the threat's spread

  • Eradicate: Eliminate the threat

  • Recover: Restore normal operations

  • Lessons Learned: Analyze what happened to prevent future incidents

In the example case, the process was not followed because no one in either organization recognized that it was a security incident and not just a financial fraud.

BEC attacks are a serious threat to businesses of all sizes. By implementing strong prevention measures and developing a comprehensive incident response plan, organizations can reduce their risk and minimize the damage caused by these attacks. Remember that both prevention and incident response are essential for mitigating risks and limiting losses.

About Allyn Lynd

Allyn Lynd is the Director of Incident Response at R3 Digital Forensics. He brings over 25 years of expertise in digital forensics, cybercrime, and incident response, having led complex investigations at the FBI and in private practice. He can be reached at allyn@r3forensics.com.

Nick JonesR3 Digital Forensics