EI-ISAC Cybersecurity Spotlight – Business Email Compromise Scam
What it is
Business Email Compromise (BEC) scams attempt to deceive organizations into sending money or employee’s personally identifiable information (PII) to a malicious actor or to use the organization’s name to fraudulently obtain material goods. Also known as Email Account Compromise scams, BEC scams are associated with significant data or financial loss for organizations.
BEC scams use specific information about the organization, sender, or recipient to make the scams more realistic. For instance, the emails can originate from the compromised or spoofed email accounts of employees or vendors and contain appropriate logos, URLs, and terminology for the target audience. Some of the variants are opportunistic in the broad scope of their targeting, while others specifically target a specific agency or individual.
BEC scams also use several common social engineering tactics to deceive recipients. Emails may include a reason to continue the conversation via email, such as being out of the office or in a meeting, to prevent recipients from talking to the employee or vendor and discovering the scam. They also often convey a sense of urgency or secrecy and excuse typos by indicating the message originated on a smartphone.
The EI-ISAC recognizes five common BEC variants that affect state, local, tribal, and territorial (SLTT) governments, including election offices: direct deposit, financial theft, W-2 and PII data theft, purchase order, and vendor change.
- Direct Deposit – In this variant, malicious actors target direct deposit accounts through emailed change requests sent to the Human Resource or Finance departments. In this targeted email, the malicious actors imitate an employee (typically a senior executive) requesting a change to the banking account information for their direct deposits. These emails usually contain the proper names of the affected employee and the targeted human resource or finance employee. The EI-ISAC believes malicious actors target senior executives for both their larger paychecks and because employees are more likely to aid a senior executive despite the unusual request that avoids normal procedures.
- Financial Theft – In this variant, malicious actors pose as an employee or senior official and request the finance department immediately send a wire transfer. The emails are typically directed toward a member of the finance department by name and contain the proper names of the finance employee and the requesting employee.
- W-2 and PII Data Theft – In this variant, a malicious actor pose as an administrator or senior executive and send a targeted email to the human resource or finance departments requesting an immediate email with all employees’ W-2 information or PII.
- The EI-ISAC believes that the W-2 information or PII is then used to commit tax fraud or identity theft. This variant is most popular from January to April each year.
- Purchase Order – In this variant, malicious actors modify the contact information on publicly available purchase order forms to include different telephone numbers, email addresses, and potentially, spoofed websites. They then submit the purchase order form to a vendor, have the goods shipped, generally overseas, and sell the items for a profit while the bill goes to the affected entity.
- Vendor Change – In this variant, which uses tactics similar to the direct deposit variant, malicious actors spoof or compromise the email account of a vendor and request that the SLTT government changes the payment information to a new bank and account number. This results in the next payment from the SLTT government going to the malicious actors instead of the legitimate vendor.
Why does it matter
Though other cyber attacks, such as ransomware, receive more press, BEC scams can be far more costly to SLTT governments. For instance, at their height in 2016 ransomware attacks were estimated to cost organizations a total of $1 billion, while BEC scams have resulted in over $12 billion stolen since 2013, according to the Internet Crime Complaint Center (IC3). According to NTTSecurity, the average cost of a ransomware attack to an organization is $700, while the average cost of a BEC scam is $67,000. The EI-ISAC is aware of SLTT governments that have lost millions of dollars to these scams.
In addition to direct financial losses, successful BEC compromises are highly likely to result in significant recovery costs and reputational impacts that potentially harm public trust. Personal information, such as Social Security Numbers, contact information, and employment data, may also be revealed in certain BEC variants and constitute a data breach, resulting in additional liabilities for an organization.
What you can do
Malicious actors use traditional social engineering and phishing techniques to conduct BEC scams, which help increase the likelihood of successful attacks. The EI-ISAC Spotlights on Phishing and Common Malicious Email Campaigns are a good resource for general mitigation recommendations.
To address BEC directly, EI-ISAC recommends election officials ensure there is a policy for identifying and reporting BEC scams, as well as similar phishing emails. The policy should include using alternative forms of communication to verify the identity and authorization of email senders prior to approving unusual financial or sensitive data requests. Employees, especially in the finance and human resources departments, should be trained to recognize BEC scams and report them in accordance with the policy. These employees should also ensure that the email is going to the correct person by hovering the mouse over the address in the email header to verify it is the correct address.
To report suspicious emails, please send the email as an attachment to the EI-ISAC at email@example.com, and to IC3. If there is a successful compromise attempt, transfer of W-2 or PII information, or financial loss, election officials are encouraged to immediately contact their state police or federal law enforcement authority for assistance. In the case of financial losses, it may be possible to stop the transfer of the payment by immediately contacting your financial institution.
The EI-ISAC Cybersecurity Spotlight is a practical explanation of a common cybersecurity concept, event, or practice and its application to Elections Infrastructure security. It is intended to provide EI-ISAC members with a working understanding of common technical topics in the cybersecurity industry. If you would like to request a specific term or practice that may be of interest to the elections community, please contact firstname.lastname@example.org.