A computer mouse and a fishing hook

$800,000 recovered from Business Email Compromise attack

We continue to see the damaging repercussions of business email compromise (BEC) impacting organisations across the US and elsewhere. The Houston Chronicle reports that law enforcement seized $800,000 from a bank account used for pillaging funds from a construction management company.

The attack

BEC attacks revolve around an approach by a criminal who has compromised or spoofed an executive-level email account. In this case it was compromise.

As per the civil complaint, phishing attacks and / or malware were allegedly used to break into the business. The scammers then worked their way to the accounts department:

On or before July 13, 2022, Unidentified Conspirators gained access to Victim Company’s computer networks, including their email servers and accounts, through phishing attacks or the use of malware. The perpetrators identified employees of Victim Company responsible for financial obligations and their contacts with other entities. Using this information, Unidentified Conspirators used a spoofed email address, posed as an employee of Vendor, and ordered Victim Company to wire payment to the Prosperity Bank Account controlled by Unidentified Conspirators instead of Vendor’s account on file. Believing it was Vendor’s legitimate bank account, Victim Company wired $876,121.00 to the Prosperity Bank Account.

Once the attackers were inside the network with access to email, the BEC scheme was ready to begin.

This is where the attackers pose as suppliers or senior members of staff and attempt to convince people with access to funds to carry out urgent money transfers. These transfers are traditionally done via wiring the money overseas, although digital transactions of various kinds have increased in popularity in the last couple of years.

As per the Houston Chronicle, workers tied to financial dealings were identified, and then sent bogus emails.

In this case, the attackers posed as another engineering / construction firm and asked to have the funds wired to another bank in the US. The bank notified the victims that they were likely impacted by a fraudulent transfer and the US Secret Service executed a seizure warrant to recover the funds.

At time of writing, neither attackers or victims have been identified.

Reducing the risk of BEC

There are multiple ways to try and steer clear of BEC attacks. Multiple tips are listed on the Justice.Gov release, many of which we’ve been advising for some time now. Here they are, along with some of our own:

  • Enable two-factor authentication (2FA) on email accounts. 2FA that uses hardware keys or FIDO2 devices is resistant to phishing, and all forms of 2FA are resistant to password guessing, brute force attacks, and password leaks.
  • Use designated individuals and two-factor authentication for wire transfers.
  • Reducing the footprint of folks in finance. Removing vulnerable people from publicly visible business sites such as LinkedIn or the company website can help shield them from attackers.
  • Use Malwarebytes EDR to block the tools scammers use to infiltrate organisations, like phishing sites, malware, and exploits.
  • Verify the authenticity of information included in correspondence and statements.
  • Pay using checks when the information cannot be independently verified.
  • Monitor email account access, and check for unauthorized email rules and forwarding settings.
  • Restrict wire transfers to known and previously verified accounts.
  • Have a clear and detailed Incident Response Plan.

Stay safe out there!


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.