BEC and CEO fraud: a growing risk for companies
Threat Discovery is an editorial space of Telsy and TS-WAY dedicated to in-depth analysis of cyber threat intelligence at a global level.
The information reported is the outcome of the collection and analysis work done by TS-WAY specialists for the TS-Intelligence platform.
In this article, we reconstruct the dynamics of two sophisticated frauds that impact every sector of business at all levels: business email compromise (BEC) and CEO fraud.
Trend analysis, the amount of financial losses, and the increasing exploitation of artificial intelligence and deep fakes by criminals suggest that the potential of these threats should not be underestimated and justify the need for companies and employees to put in place all relevant best practices.
BEC and CEO fraud: similarities and differences
BEC and CEO fraud aim, with different strategies, to deceive employees in critical industries into authorizing large payments or revealing sensitive information.
BEC fraud is based on fraudulent or compromised e-mail messages that the attacker sends to a specific employee within the company, pretending to be an already known or trustworthy interlocutor. Target identification and the following interaction are based on social engineering activities aimed at minimizing levels of defense. In the most recent attacks, the use of generative artificial intelligence (LLM) models has been noted for drafting e-mails that are as truthful as possible. Once solid contact has been established, or by determining emotional reactions due to haste or fear, the criminal will try to induce the employee to authorize wire transfers or reveal company secrets or other data.
In CEO fraud, the attacker poses as a senior executive of a company and contacts one of the employees to get him to make unbudgeted payments or induce him to reveal confidential information. Contact can be made in a variety of ways: through e-mails or messages sent from an account that spoofs the manager’s legitimate one, or by exploiting artificial intelligence to mimic the executive’s voice and appearance during voice calls or video conferences.
Payments and transfers are transferred to accounts controlled by the attackers or managed by money mules, who initiate more or less sophisticated financial laundering schemes.
BEC: numbers released by the FBI
In a Public Service Announcement last Sept. 11, the FBI provided updates on data on BEC fraud complaints filed with the Internet Crime Complaint Center (IC3).
BEC campaigns continue to target small local businesses, large corporations, and private transactions while evolving techniques to gain access to such corporate or personal accounts.
Between December 2022 and December 2023, there was a 9 percent increase in overall reported financial losses. In 2023, IC3 reported growth in BEC reports where funds were sent directly to a financial institution that hosted custodial accounts held by third-party payment processors, or peer-to-peer payment processors, and cryptocurrency exchanges, which directly contributed to the increase in global exposed losses.
IC3 data show that BEC fraud was reported throughout the U.S. and 186 other countries, with more than 140 countries receiving fraudulent transfers. Based on financial data reported to IC3 for 2023, international banks located in the UK and Hong Kong often acted as intermediate gateways for funds, followed by China, Mexico, and the United Arab Emirates.
Recent cases of BEC and CEO fraud
To get an immediate idea of the size of the risk caused by these fraudulent schemes, it will suffice to run through a brief and partial review of recent attacks. It will be useful to consider not only the ones that have sadly succeeded, but also how some of them were foiled.
An employee of the Hong Kong branch of a British multinational company was involved in a sophisticated BEC fraud based on artificial intelligence. The man received an e-mail request to make a secret transfer of funds that, although it appeared to come from the British CFO, still made him suspicious. To allay his doubts, the attackers invited him to a video conference with the CFO himself and other employees. The meeting was attended by deepfake profiles of those people, through which the attackers convinced the man to make the transfer of more than $25 million.
The company LastPass, which distributes a free web password management program, has revealed that it was involved in a CEO fraud attempt. The adversaries entered communication with one of the employees on WhatsApp, posing as the CEO, Karim Toubba. To gain the target’s trust, they would make calls, send text messages, and at least one deepfake audio-based voice. The requests, transmitted outside institutional channels and characterized by elements typical of Social Engineering techniques, such as forced urgency, were promptly reported to the internal security team.
A Ferrari car company executive was allegedly the target of an artificial intelligence-based CEO fraud attempt. The man allegedly received text messages and, later, a voice call from a number whose profile showed a photo of its CEO, Benedetto Vigna. The attacker, who had used AI to make his own voice resemble Vigna’s, required the executive to sign a Non-Disclosure Agreement for a confidential corporate acquisition. However, the criminal failed to answer a question regarding a private matter between the two, and communication was cut off.
A BEC fraud involved a U.S. company and an Italian firm that had entered into a $1.4 million agreement to supply travertine workmanship for a temple renovation in New York City. The criminals hacked the two companies’ e-mail accounts, intercepted exchanges related to the job order and diverted a $700,000 wire transfer. Upon discovering the scam, the U.S. Secret Service and the Italian Postal Police were involved, and they identified some of the criminals, including the money mule who had received the wire transfer and routed the money to several other accounts.
The identity of the CEO of WPP, one of the largest global advertising and market research companies, was abused in a failed fraud attempt. To induce an employee to provide data and money, criminals set up a Microsoft Teams meeting based on a deepfaked audio of the executive.
A Tennessee (U.S.) school district has fallen victim to a BEC fraud. The chief financial officer of the Johnson County Board of Education, whose rural district has about 4,500 students, was contacted by a fake employee of Pearson, a company that provides online courses and digital learning materials. The criminal managed to obtain two wire transfers totaling $3.36 million. Authorities reconstructed the network of accounts through which the money passed and identified a total of four people who allegedly operated as money mules. Some of the embezzled money was reportedly recovered.
The CEO for Southern Europe of Dutch Fremantle, the world’s leading TV entertainment company, fell victim to a nearly €1 million CEO fraud. The manager recounted receiving a WhatsApp message from an account traceable to the company, requesting a wire transfer for the acquisition of an overseas subsidiary. He then received a phone call from an individual who introduced himself as one of the lawyers handling the purchase and who gave him the bank details for a large wire transfer that could be made.
Telsy and TS-WAY
TS-WAY is a company that develops technologies and services for medium and large-sized organizations, with a unique in Italy for cyber threat intelligence expertise. Founded in 2010, TS-WAY has been part of Telsy since 2023.
Is configured as an effective extension of the client organization, supporting the in-house team for intelligence and investigation activities, cyber incident response, and systems security verification activities.
TS-WAY’s experience is internationally recognized and is corroborated by large private organizations in finance, insurance, defense, energy, telecommunications, transportation, technology, and by government and military organizations that have used the services of this Italian company over time.
TS-WAY’s Services and Solutions
With several vertical teams of security analysts and researchers with technical and investigative expertise, and internationally recognized experience, TS-WAY provides all the assistance needed to align an organization’s security program with its risk management objectives.
Its services offer a preventive and comprehensive approach to security to protect clients’ assets and business continuity.
Its technology solutions transform global threat data into strategic, tactical, operational, and technical intelligence.
TS-Intelligence
TS-Intelligence is a proprietary, flexible, and customizable solution that provides organizations with a detailed risk landscape.
It is presented as a Web-usable, full-API platform that can be operated within an organization’s defensive systems and infrastructure, to strengthen protection against complex cyber threats.
Constant research and analysis on threat actors and emerging networked threats, both in APT and cybercrime, produces a continuous information flow of an exclusive nature that is made available to organizations in real-time and processed into technical, strategic, and executive reports.
Learn more about TS-WAY’s services.