Sep 13, 2024

※日本語版はこちら（For the Japanese version, please refer to here.）

The information in this article is current as of September 2024.

The Internet Crime Complaint Center (IC3) of the U.S. Federal Bureau of Investigation (FBI) released the Internet Crime Report of 2023 version in March 2024 [1]. This is an annual report which compiles complaints related to cybercrimes reported to the IC3, and according to the report of 2023, the ranking of cybercrimes with the biggest damage amounts was investment scams, followed by business email compromise scams as the second, and tech support scams as the third. While business email compromise scams were ranked at the top of reported crime in the 2021 and 2022 versions of the report and shifted to second place this year, they can still be considered as a crime that causes many victims. The “Financial damage caused by business email compromise scams” has also been ranked as a significant threat targeting organization for seven consecutive years in the “Top 10 Cyber Threats” released annually by the Information-technology Promotion Agency, Japan (IPA), which means that it is one of the cybercrimes that requires caution in Japan. In this blog, I would like to summarize business email compromise scams, but the term “business email compromise scams” might sound like a scam that is limited to email alone. With the changes of communication methods in business, there is a growing trend of using multiple tools other than email, such as chat, voice, and video, and also integrating these with email. Therefore, considering an alternative term like “Business Communication Compromise” could be more appropriate to reflect this broader landscape.

Table of Contents

What is Business Email Compromise?

Business email compromise refers to a scam method in which an attacker impersonates to be a business partner or executive of an organization to illegally obtain financial assets. This is typically carried out through fake email communications with the person responsible for handling the organization's finances, ultimately directing them to transfer money to a bank account set up by the attacker. (As mentioned later, this fraudulent activity can also go beyond email. Regardless of the method, I will use the term “business email compromise” as a general terms for frauds that deceive victims into transferring money to accounts through business-related interactions.) According to the Internet Crime Report of 2023 version from IC3[1], which was introduced earlier, there were 21,489 complaints of business email compromise reported to IC3 in 2023, resulting in a total loss of approximately 2.9 billion USD. This accounts for 24% of the total financial losses related to cybercrime reported in 2023. The same report also indicated that there were 2,825 complaints of ransomware reported in 2023, with a total reported loss of approximately 59.6 million USD. This figure does not include costs for system recovery or business opportunity losses, making a direct comparison difficult. However, it is said that solely based on the total loss amounts, business email compromise exceeds that of ransomware, which has been frequently reported about the damage. Furthermore, there are also research findings from Japan, the financial losses caused by business email compromise in Japan are comparable to those from ransomware attacks [3]. Although business email compromise may not receive as much attention in reporting compared to ransomware, it is one of significant cybercrimes that warrants caution.

Patterns of Business Email Compromise

According to the IPA, business email compromise can be mainly categorized into two patterns [4]. One is the pattern of “impersonating a business partner,” and the other is “impersonating a CEO or executives.”

For the pattern of “impersonating a business partner,” the attackers impersonate a business partner and send a fake invoice to victim organizations, where the payment destination has been changed to an account set up by the attacker. This leads to the victim organization's finance officer to transfer funds to the attacker's account. Additionally, instead of sending a fake invoice, there are cases where the attacker asks the finance officer of the victim organization and requests a change in the payment destination to the attacker’s newly designated account.

The other pattern of " impersonating a CEO or executives" involves an attacker impersonating to be their company's CEO or organization’s executives and instructing employees, such as the organization's other executives or accounting personnel, to transfer funds to the attacker’s account. Additionally, in some cases, attackers may impersonate an external authoritative third party, such as lawyers or law firms acting on behalf of the CEO and deceive the victim organization's finance officer to make a transfer to an account set up by the attacker.

Methods of Business Email Compromise

In order for the attacker to execute business email compromise, they need to obtain the recipient's email address through various methods and subsequently send a spoofed email to that address.

Regarding the recipients of the spoofed emails, as a part of the preparation for fraud, attackers may obtain email addresses from publicly available corporate information, and/or use social engineering/viruses that steal information to investigate the details of the employees within the company.

Methods for sending spoofed emails include obtaining a similar domain and using it, abusing free email services, spoofing the “From” field, or taking over legitimate accounts through some means and identifying email recipients based on past communications. Therefore, even if an email appears to be sent from a legitimate account, it is important to be aware the possibility of fraud.

As an example of business email compromise using hijacked legitimate accounts, I introduce the following method used by three scammers apprehended in May 2022, who were reported to be involved in global business email compromise activities, including Japan [6]. The attackers initially explored publicly available data online to collect corporate contact information. Next, they prepared phishing websites and launched phishing attacks by sending spam emails to the collected email addresses. Victims accessed the phishing site and they were infected with malware and their personal information and credentials were stolen. The attackers then logged in the victim’s email system using the stolen credentials, examined past emails, and specifically targeted emails containing invoices. By tampering the invoice payment details to reflect the attacker’s bank account, they crafted and sent fraudulent emails to the victim's business partners. Considering that the account was compromised after meticulously reading though past emails, if emails are sent from the legitimate source, it is highly likely that recipients, particularly business contacts of the victims, would be easily deceived unless they are extremely cautious. Moreover, attackers may set up forwarding on the compromised account to make the emails used in the attack invisible to the account holder’s view. As a result, the account holder may not realize that they have been used as a platform for the attack until it is too late.

Cases of Deepfakes

In addition to the case introduced earlier, several cases of general business email compromise are also provided by the IPA [5], so kindly refer to those. Here, let’s look at cases using voices and videos generated by deepfake technology.

Cases of AI-generated Deepfake Audio

First, although this is not strictly a business email compromise since it was carried out via telephone rather than email, we are going to introduce a case of an attack carried out in March 2019 against a UK energy company using AI-generated deepfake audio [7].

The attacker used voice-generating AI software to impersonate the CEO of a German parent company and demanded UK energy company's CEO to make an urgent payment to the Hungarian supplier. The AI-generated voice impersonating the German parent company's CEO sounded natural and convincing, leading the UK energy company's CEO, without any suspicion, to transfer 220,000 euros (approximately 26 million yen at the time) to the attacker's account, which was posing as the Hungarian supplier. This incident is reported to be the first known case of fraud involving AI-generated deepfake audio [8].

Cases of Deepfakes in Video Conferencing

The next case study was announced by the Hong Kong Police in February 2024. An accountant working for a multinational company in Hong Kong was deceived by someone posing as the chief financial officer (CFO) during a video conference and transferred a total of 200 million Hong Kong dollars (approximately 3.8 billion yen) to a fraud group [9].

The attacker first sent an email to the victim's finance department, pretending to be the Chief Financial Officer (CFO) and claiming that a confidential transaction needed to be carried out. Although the victim initially suspected the email was a scam, the attacker further deceived the victim into participating in a fake video conference. When the victim joined the video conference, they saw colleagues they recognized, which dispelled their suspicions of fraud. They believed the CFO's instructions were genuine and agreed to transfer 200 million Hong Kong dollars. However, all the participants in the video conference were fake colleagues created using deepfake technology, which had altered videos and photos to make them appear as the real individuals. The victim's financial officer only discovered that the CFO was fake after confirming with the company's headquarters afterward.

This case involves the use of deepfake videos to exploit video conferencing in order to make a simple business email scam more convincing. With the advancement of AI technology, sophisticated methods are increasing that make fraudulent emails more convincing, and it may become even more difficult to detect suspicious emails in the future.

Measures against Business Email Compromise

As seen in the cases introduced above, there has been an increase in elaborate business email compromise. What measures should be taken to avoid being scammed? The following is an example of measures against business email compromise, quoted from the IC3 website [10].

To summarize, the key points are: “Do not provide attackers with unnecessary information,” “Ensure that everyone knows how to identify suspicious emails,” and “Implement technical countermeasures and establish rules such as double-checking, and ensure that they are strictly followed.” These points are worth considering when developing countermeasures against business email compromise.

For more information on how to identify suspicious emails, please refer to the “Business Email Compromise (BEC) Characteristics and Countermeasures Report” [11] published by the IPA.

As introduced earlier, new methods that use techniques other than email (such as audio and video) are emerging, as well as methods that utilize natural text, audio, and video generated by AI. Those involved in tasks related to the transfer of money should always stay up to date on the latest cases and take sufficient precautions to avoid becoming a victim.

Summary

According to a survey conducted by JPCERT/CC on business email compromise targeting Japanese companies [12], previous surveys indicated that most cases involving Japanese companies were conducted in English. However, recently, business email compromise using natural Japanese has begun to emerge domestically, so caution is required. Additionally, fraud using not only emails (text) but also audio and video generated using AI has emerged. Recently, there have been cases of fraud targeting LastPass employees using deepfake audio impersonating the CEO via the messaging app WhatsApp [13]. It is important to stay updated on the latest cases and remain vigilant to identify suspicious activity.

Reference

Read More at NEC Security Blog