Insights from Two Retired FBI Agents: A Conversation on Business Email Compromise

In a recent conversation, retired FBI agents Scott E. Augenbaum and James Morrison, FBI Cyber (Ret), CISSP, MBA, Veteran opened up about their long careers in federal service, sharing their experiences and unique insights into the evolving landscape of the Business Email Compromise. Both agents have a combined experience of over 60 years, making their perspectives on law enforcement and cybersecurity particularly valuable.

Their Journey into Cybercrime

While their careers took them on different paths, both agents shared a deep focus on investigating cybercrime. Scott Augenbaum spent most of his 30-year career tackling the growing threat of cybercrime, particularly as the digital landscape expanded. During their conversation, Scott emphasized how cybercrime has rapidly evolved, becoming one of the most significant threats to national security.

Meanwhile, James Morrison contributed to the Bureau’s cybercrime efforts while focusing on different aspects of federal law enforcement. Both agents acknowledged that cyber threats are only becoming more sophisticated, requiring a new generation of law enforcement professionals to specialize in digital forensics and cybersecurity.

Understanding Business Email Compromise

Business Email Compromise (BEC) is a fast-growing threat in the cyber landscape, reshaping how companies approach security. While ransomware and phishing attacks often dominate headlines, BEC is quietly siphoning billions of dollars from businesses of all sizes. Through tactics like impersonation and spoofing, cybercriminals target employees in positions of power and manipulate them into approving fraudulent wire transfers or disclosing sensitive information.

One of the most alarming aspects of this scam is its simplicity. BEC attacks usually start with a compromised employee’s email account—typically someone in the finance department. This email account compromise often results from a phishing email or malware infection. The scammer then gains access to the compromised account, sending fraudulent invoices, and requests for wire transfers to fraudulent bank accounts.

What is Business Email Compromise (BEC)?

At its core, Business Email Compromise attacks are fraud schemes that exploit trusted business relationships and email communications. Here’s how these cyberattacks typically unfold:

1. Targeted Phishing Attack: A cybercriminal sends a suspicious email to someone in a position of financial authority within a company, such as a Chief Financial Officer (CFO) or cashier. The email appears legitimate, convincing the recipient to click a malicious link or download a file that installs malware on their system. This leads to an account compromise, allowing the criminal to access the target’s login credentials.
2. Email Account Takeover: Once inside the employee’s account, the scammer sends messages from the legitimate email domain. These emails might contain requests for wire transfers or requests for sensitive data. Because these emails appear to come from someone within the organization, they rarely raise alarms.
3. Fraudulent Invoices: The scammer typically sends out fake invoices, both internally and to external partners or vendors. These invoices often involve small sums—typically between $5,000 and $10,000—so they don’t trigger suspicion. However, some cases involve much larger sums, as businesses have paid millions to fraudulent bank accounts because they failed to recognize the scam.

Manipulation and Exploitation:

Cybercriminals are skilled at creating a sense of urgency in their communications. For example, an email might claim that an error was made in a previous invoice and that an immediate wire transfer is required to correct the mistake. This urgency often results in employees rushing to fulfill the request without proper verification, especially in high-pressure environments like the finance department.

The Underreported Nature of BEC

One of the most troubling aspects of BEC scams is its under-reporting. Despite the billions lost to email threats, many incidents go unreported due to fear of reputational damage or the belief that the losses are too small to warrant investigation. Additionally, some businesses may recover their losses through insurance or absorb them as operational costs, further contributing to the lack of reported incidents.

Experts believe that the true financial impact of BEC is vastly underrepresented. For instance, the FBI’s Internet Crime Complaint Center (IC3) provides statistics on BEC-related losses, but these numbers only scratch the surface. Estimates suggest that the actual scope of data theft and financial fraud linked to BEC could be 10 to 40 times higher than reported.

A Real-Life Example of Business Email Compromise

In a recent case, Scott tells a story about a billion-dollar company that fell victim to an invoice scheme despite having strong internal security measures. Unfortunately, while the company had protected its systems, one of its vendors had not.

The company’s finance department received an email from a vendor for a $3.5 million invoice. Just minutes later, another email arrived from the same vendor, claiming a mistake had been made on the invoice and requesting a new payment with a 10% discount. The accounts payable team processed the payment, assuming it was legitimate.

The company had a separation of duties, meaning that multiple people had to sign off on the payment. However, no one checked the bank account information to ensure the funds were being sent to the correct account. As a result, the money was sent to an account in the United Arab Emirates, instead of to the vendor’s actual account in Boston.

When the fraud was discovered, most of the money had been moved through various countries, including Romania and Nigeria. Though $600,000 was recovered, the company still suffered a loss of $2.9 million.

Where Things Go Wrong

Preventing business email compromise attacks involves addressing vulnerabilities that often go overlooked. In this case, the company had strong internal security practices but failed to consider the vendor’s cybersecurity weaknesses. This underscores the importance of ensuring secure email practices extend beyond internal systems to include partners and vendors.

Additionally, although the company had a separation of duties in its payment process, it did not verify the account information before processing the wire transfer. This highlights the importance of regularly reviewing and enhancing incident response protocols and security awareness training, ensuring employees are prepared to identify and respond to email threats.

How Businesses Can Protect Themselves

To prevent future attacks and reduce the risk of financial transactions being hijacked by BEC emails, businesses need a proactive, multi-layered approach to email security. Here are some critical measures:

1. Employee Training: Ensure that all employees, especially those in financial positions, are trained to recognize phishing scam attempts and other forms of social engineering. Regular training and simulated phishing tests can help employees stay vigilant.
2. Multi-Factor Authentication: Implement MFA for your company and encourage or require vendors to use it. This extra layer of security can prevent unauthorized access to email accounts.
3. Verify Payment Details: Establish a protocol for verifying the authenticity of payment requests, especially those involving significant sums of money. This might include a second form of verification, such as a phone call to the vendor to confirm the request.
4. Check for Changes in Banking Information: Any request to change banking details should be treated with suspicion and verified through an independent channel before any payments are made.
5. Report All Incidents: Even if losses are covered by insurance or seem insignificant, reporting all BEC to the appropriate authorities is essential. This can help track trends and potentially prevent further attacks.

Conclusion

Business Email Compromise is a pervasive and growing threat, causing significant financial damage to companies of all sizes. Through tactics like impersonation, spear phishing, and social engineering techniques, hackers can exploit trust, urgency, and weak verification protocols to execute their attacks.

Businesses must enhance their email security, implement stringent verification processes for financial transactions, and collaborate with vendors to ensure everyone is aligned on protecting sensitive data.

With the right combination of security awareness, technology, and conformance to best practices, companies can significantly reduce their risk of falling victim to BEC attacks and safeguard their assets from the ever-evolving threat of cybercrime.

Watch the full interview here.