Business Email Compromise Moving to Mobile

While traditional Business Email Compromise (BEC) is still going strong (Google and Facebook together were scammed out of over $100 million), hackers are never content, so they have added mobile BEC to the mix.

The scam starts with the attacker sending an email from a lookalike domain asking for the mark’s cell phone number to complete a transaction.

If the mark sends it, the hacker knows that the mark is engaged.

Now the hacker uses a burner phone or free anonymous VoIP service to communicate with the mark. Since the phone has no identification, the hacker has less worry that the mark would see that the email domain is not the correct one. Using one of the free VoIP services gives the hacker a U.S. phone number, voice mail and other convenient features to carry out the attack.

The attacker can now request the mark to wire money or buy gift cards or whatever is desired as the funding mechanism for the scam. If using gift cards, this works better than email because the attacker can ask the mark to take a picture of the numbers on the cards instead of having to type in the numbers.

Once the hacker has the codes, he or she converts the codes into Bitcoin using one of several online marketplaces like Paxful. Once they have the Bitcoin, they can exchange them, trade them with other hackers or convert them back to fiat money. Since the victim never saw the Bitcoin transaction, it is difficult if not impossible for the authorities to trace the transactions.

The “fix” here is to train employees on BEC attacks on SMS text messages so that they treat them just like any other phishing attempt.

If they get a message like this, they need to contact the originator to confirm the request, but, most importantly, they need to do it out of band and not at a number or email that the attacker specifies – as the attacker will likely say use this email or phone number and nothing else.

We are aware of a number of thwarted attacks where the mark immediately contacted the supposed originator using a method of the mark’s choice, only to discover that the supposed sender never sent the request. Victory snatched from the jaws … of a hacker.

One other thing. We have seen several cases where the target company has cyber insurance but when they make a claim, the insurance company says that they have no coverage even though they have been faithfully paying the premiums. This is because the insurance agent who sold the insurance was not an expert at this very special type of insurance and did not understand the landmines involved. We can help either by reviewing your existing policy or referring you to a QUALIFIED insurance broker.

If, on the other hand, if you do fall victim BEC wire fraud scam specifically, contact the Secret Service INSTANTLY. Delay is your enemy. Even a few hours hurts. Often they can recover the funds. If you need help working with the Secret Service, we can help.

Source: Bleeping Computer