A newly identified criminal organization has been observed running a large number of business email compromise (BEC) scams. Since February 2021, Abnormal Security reports the gang has been responsible for some 350 BEC campaigns against a range of companies. No particular sector is favored, but the scammers favor larger organizations, with more than 100 of the targets being multinational corporations with offices in several countries.
“All of the attacks by this group follow a similar, but effective, formula,” Abnormal’s report says. “The primary pretext in their attacks is that the targeted employee’s organization is working through the confidential acquisition of another company and the employee is being asked to help with an initial payment required for the merger. The attacks consist of two stages, each employing a different persona. One is internal, typically the CEO, and the other is external, generally an attorney focused on mergers and acquisitions.”
Nigeria has long been the home of most organized social engineering fraud, including BEC. Over the past year, Abnormal says its observations have found that 74.2% of BEC scams have originated in Nigeria, with criminals based in the United Kingdom a distant second at just 5.8%. The reasons for Nigeria’s prominence in organized criminal phishing have complicated cultural and historical roots, but in the case of this corporate acquisition-themed scam, the operators have no connection whatsoever with the West African country. Instead, they appear to be based in Israel, which makes them a geographical outlier.
The campaign is an outlier in other respects, too. While most BEC scams seek to persuade members of a company’s finance or accounting team, this group goes after more senior corporate officials.
“One of the main themes throughout the attack is confidentiality,” Abnormal writes. “Many of the first few messages stress that the success of the acquisition hinges on the transaction staying a secret. An email may mention that any leak of information about the transaction would result in the cancellation of the project and/or that all communication must be kept to email in order to prevent insider trading and maintain a strict chain of custody.”
The scammers impersonate a senior corporate officer, usually the CEO, in their first approach. They followed by a communication that misrepresents itself as originating with an external legal counsel. The third state of an attack has usually involved a transition to equally fraudulent phone conversations conducted over WhatsApp. Those are intended to close the deal, and, Abnormal Security speculates, to minimize the email and paper trail the fraud leaves.
In this case, organizations can protect themselves with a mix of appropriate policies (not using emails or similar communications to direct payment of large sums of money) and, above all, new-school security awareness training.
Abnormal Security has the story.
CEO fraud has ruined the careers of many executives and loyal employees, causing over $26 billion in losses. Don’t be the next victim. This manual provides a thorough overview of how executives are compromised, how to prevent such an attack and what to do if you become a victim.
