Business email compromise (BEC) attacks are continuing to rise in both frequency and severity, with victims now losing millions of dollars in single transactions, according to law enforcement agencies.
A BEC attack, also known as a senior executive impersonation attack, is where an organisation's staff are manipulated into sending money to criminals. Typically, the criminals breach the corporate email system, and spend some time learning the organisation's business, structure, and communication style to improve their chances of success.
"They'll insert themselves by putting a socially engineered piece of communication there," said Special Agent Ryan Brogan of the US Federal Bureau of Investigation (FBI). "Those emails are very, very convincing."
In one recent case, a local car dealership lost $7 million after an employee received an email, purportedly from his CEO, saying he needed to wire then money to a new account to fund a new special project.
"The actor sort of implied that the dealership manager's promotion would be on the line if this didn't happen," Brogan told the Australian Cyber Security Centre (ACSC) Conference in Canberra last week.
"He goes and wires this money. He actually broke all of their internal controls."
It was three days before anyone realised it had all been a fraud, when the employee happened to ask his real boss whether he'd received the money.
$7 million is by no means a record for BEC cases investigated by the FBI. Australia has also seen single-transaction BEC frauds in the millions of dollars.