A three-person team – including a personal banker at Bank of America – have been indicted for reportedly being behind a BEC scam that took 5 companies for over $1.1 Million.
I often hear of (and tell) stories of scams, but rarely hear about what happened after the money’s been stolen. In this care, according to U.S. Department of Justice press release, we get a small glimpse into what transpires post-attack with funds.
According to the DoJ, three men were behind a Business Email Compromise (BEC) scam that began with targeted phishing attacks designed to steal online credentials. Once a set of credentials was obtained, a material amount of time – in some cases, months – was spent intercepting email communications so that the team could learn about the internal billing systems, the types of communications between key players, and who were the vendors, clients, and people responsible for transactions. The team would send an email to a vendor impersonating an employee (by using a typo-squatting lookalike domain), requesting payment for an actual transaction, providing full details of the transaction for credibility purposes, but diverting payment to their own account.
One of the three, an ex-Bank of America personal banker, was responsible for setting up the bank accounts – in many cases under the names of the victim companies – to ensure payments would be accepted by the bank.
It’s important to remember that scams like this nearly always start with a phish. As long as a user falls for the phishing attack, the game is on and your organization is not at risk of either attack or fraud. Users that undergo Security Awareness Training – particularly those who have responsibility over the organization’s finances – are better prepared to spot scams designed to steal credentials, thwarting BEC scams like this one before they every get started.