Confirm external recipients in Outlook before emails are sent

4 Business Email Compromise (BEC) Scams Nobody Saw Coming

What would you do if your CEO sent an email requesting a wire transfer to move forward with a time-critical project? Or if a major supplier was threatening to terminate a contract unless you pay an overdue bill ASAP? You’d probably be tempted to do as asked… yet there is a good chance that this is a trap.

Over the past 3 years, business email compromise (BEC) attacks have cost more than $5 billion to companies and individuals according to statistics from the FBI. If you are not familiar with the term, BEC is a type of phishing attack in which one or more scammers impersonate a trustable source, like heads of department or CEOs, and ask the victim to proceed with fund transfers.

While many BEC scams have happened around the world, we want to talk about four of them in particular because they led to substantial — yet avoidable — financial losses. In fact, these incidents could surely have been prevented had victims used SafeSend’s spearfishing functionality for the detection of spoofed email addresses.

Kansas County, $566,000

What could go wrong with a contractor asking to update billing details? Your accounting department probably deals with requests like that all the time, especially if you work with many suppliers. Alarmingly, however, your staff probably see this as a routine task, meaning no suspicions or objections are raised when it should be the case.

Indeed, it is precisely what cybercrime fraudster George James counted on when he managed to deceive the Kansas County’s Automated Clearing House into swapping a local construction company’s billing records for his. The scam was very simple to execute. James only had to use a fake email address pretending to be the firm’s CEO and asked the county to proceed with an electronic payment of $566,000.

SafeSend would have helped to see the hoax coming, flagging the impostor in any outgoing email sent. By confirming external recipients in Outlook before emails are sent, this could have been solved!

Aussi Multi-Millionaire, $1 million

Like it or not, being wealthy or holding a senior position in a large enterprise makes you the potential target of cybercrime. Australian millionaire John Kahlbetzer learned that the hard way after his assistant, Christine Campbell, got duped by a forged email address which prompted her to transfer $1 million to a bank account in the UK.

How did that happen? Why didn’t Christine see that it wasn’t her boss’ email address? Well, it almost was, except for that character missing — which most people would have overlooked as well.

Here again, SafeSend’s spearfishing functionality could have put an end to the scam, as replying to a spoofed email address can automatically trigger a pop-up warning window.

MacEwan University in Edmonton, $11.8 Million

A staff member from MacEwan University thought he was only doing his job modifying the electronic banking information of a vendor. The request seemed very legit and led to three fraudulent payments totaling $11.8 million over a 9-day period. Remarkably, two other staff members were cc’d at some point in the email thread, but nobody noticed something was off.

The university decided to review its business processes to avoid further incidents, including the implementation of stronger policies and controls. As part of this, they could hugely benefit from a solution like SafeSend to prevent similar phishing attacks in the future.

FACC AG., €52.8 Million

BEC scams can put large enterprises in an extremely delicate financial position as illustrated by FACC’s share price going down 38% following a massive whaling attack targeting its CEO, Walter Stephan. Fraudsters impersonated him using a forged email address and tricked a subordinate into wiring €52.8 million to a fraudulent bank account.

Both CEO and CFO were fired after the incident, and FACC had to report an operating loss of €23.4 million that fiscal year. A €18.6 million profit could have been declared instead had the victim detected that Stephan’s email address was spoofed using a solution like SafeSend that can confirm external recipients before emails are sent .