New business executive email scam detected by IBM

Business email compromise scams are some of the most difficult yet lucrative targeted cons that attackers can create. According to IBM, there’s a sophisticated new one aimed at accounts payable personnel at some Fortune 500 companies which have resulted in the theft of millions of dollars.

In a blog this week the company’s X-Force Incident Response and Intelligence Services team said the scam uses stolen email credentials and sophisticated social engineering tactics. IBM customers, many in the retail, healthcare, financial and professional services industries. first reported signs of this latest campaign in the fall of 2017.

Business email compromise (BEC) scams involve taking over or impersonating a trusted user’s email account, then sending a message to that staffer with financial responsibilities to wire money on a phony pretext to an attacker-controlled account.

In this case the attackers first steal or buy large numbers of business user email credentials, break into those victims’ accounts and send phishing messages to people on the contact lists. Those message use publicly-available company information to craft a believable message, which contains a link purported to lead to a business document. People who clicked the link were redirected to a fraudulent “DocuSign” portal requesting the user to authenticate via his or her email provider to download the document.

Neither the email nor the fraudulent “DocuSign” portals contain malware that is downloaded onto the user’s machine. But having a new stash of credentials the attackers looked for victims whos companies use single-factor authentication and an email web portal. “The attackers specifically targeted personnel involved in the organization’s accounts payable departments to ensure that the victim had access to the company’s bank accounts.” Then, probably after looking through a victim’s email for subjects and opportunities to exploit, inserting themselves into conversations purporting to be someone they knew.

In these messages the attackers impersonate vendors or associated companies with established relations to the client and target specific people in the organizational chart to increase the believability of the scam, says IBM. The attackers also set up domains similar but not quite identical to the target company’s vendors — for example, doubling a letter of the company name in the URL or registering the vendor’s name with a different top-level domain (TLD), such as .net instead of .com. These were then used to set up email accounts purporting to belong to known employees, and emails from those accounts were sent directly to the targets.

The key is that the attackers use the victim’s email account to send the fraudulent message back to the victim (as opposed to an outside email account, which might be detected as a phony). Think of the stream of messages as a loop, coming and going from one place.

To keep a victim whose compromised email was being used unaware of what was going on, says the report, the attackers created email rules to filter the emails out of the victim’s inbox. In other instances, the attackers use a typo-changed email address in the “reply to” field so the compromised user would not receive responses. If the receiver did not scrutinize the “reply-to” field, which often requires expanding the email header, the email would appear to come from a legitimate contact.

The attacker auto-forwards email responses to a different email to read the responses without logging in to the compromised account.

The final act of the scam is a message from a higher-up requesting a money transfer. The attackers in one case registered a new domain to send fake approval messages impersonating different levels of the supervisory chain, including copying email signatures of the relevant business executives. But usually in BEC scams there’s a sense of urgency to pay — for example, ‘this has to be done by end of day.’

One possible warning sign — although scammers in this con look for companies that commonly wire money internationally — is the money often has to be sent to banks in China and Hong Kong. However, money is often shifted out of the initial account to avoid tracking.

IBM offers this advice for avoiding being a victim of these scams:

  • Implement two-factor authentication (2FA) for account logins;
  • Create banners that identify emails coming from external email addresses;
  • Block the ability to auto-forward emails outside of the organization;
  • Implement strict international wire transfer policies. Employees involved in financial transactions should receive role-based training with ample information about BEC scams. Those with account access should be required to use digital certificates to validate the legitimacy of emails they receive. In addition, setting an obligatory time delay requirement for overseas transactions can reduce the ability of attackers to impart a sense of urgency and trigger the employee into hasty action.
  • Verify the vendor. If something does not seem right, an account has been changed or the wire amount is higher than typically requested, employees should call the vendor using a validated phone number. Having to obtain sign-off in person or over the phone from the employee supposedly requesting the transfer/change of account can help organizations stop a fraudulent wire before it occurs.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now