The business email compromise (BEC) cyber scam is one of the greatest threats to the network and financial security of any company. Last year, in the US alone, BEC attacks were responsible for $1.7 billion in losses.1 This type of scam targets specific employees of a company – often in finance or the accounts payable department, with the email impersonating a senior colleague, a customer, or a vendor. The email most commonly requests payment and includes an account number, along with a sense of urgency. The recipient, if they think that the message comes from a legitimate source, will subsequently act on the request in good faith. Of course, the account number given is that of the hacker, and the money is soon spirited away for laundering in other hard-to-trace accounts elsewhere. Sometimes, instead of money, the hacker is after information and will request files to be sent. This can happen to anyone, including real estate business mogul and celebrity Shark Tank judge Barbara Corcoran (read “Shark Tank’s Barbara Corcoran Loses Nearly $400,000 in Cybersecurity Attack“).
The three companies below are good examples of the losses that can occur in a BEC fraud. This is no make-believe; it can happen to anyone in any language or culture, from somebody in the mail room to the boardroom.
Let’s quickly examine how a Norwegian, Japanese and Bangladeshi company lost tens of millions. Although each case is unique, what unites them is that they all lost millions of dollars due to poor cybersecurity hygiene.
Norway: The Norfund BEC Fraud (2020)
On May 13, Olaug Svara, Chair of the Board of Directors of Norfund, released a statement on the company website detailing a serious case of cyber fraud.2 Norfund is Norway’s investment fund for developing countries. It invests in clean energy, green infrastructure projects, scalable enterprises, and financial institutions.
In what appears to be a BEC scam, the fraudsters ‘manipulated and falsified information exchange between Norfund and the borrowing institution over time in a way that was realistic in structure, content and use of language. Documents and payment details were falsified.’3
As a result of the deception, 100 million Kroner ($10 million) was transferred from the fund into a bank account that did not belong to the intended recipient in Cambodia. Instead, the money ended up in a Mexican bank account with the same name as the Cambodian microfinance institution that it was supposed to benefit. The actual date of the fraud was March 16, but due to the sophistication of the crime, it was not detected until April 30.
Upon discovering the fraud, the company immediately put together a crisis management team, informed the police and other relevant bodies. They state that they have also engaged an external cybersecurity company, PwC, to undertake an ‘… Independent evaluation of company routines and security systems.4
Japan: Nikkei’s Lost Millions (2019)
Another BEC scam in September 2019 cost publishing conglomerate Nikkei $29 million (approximately 3.2 billion Japanese Yen). For the non-Japanese readers, to appreciate the size of this company, it should also be noted Nikkei publishes a financial newspaper that has a circulation larger than the New York Times and Wall Street Journal. Nikkei also owns the London’s Financial Times.
In a company statement, it was revealed that the money was transferred by an employee of Nikkei America, Inc. to an unknown recipient. The transfer had been done ‘based on fraudulent instructions by a malicious third party which purported to be a management executive of Nikkei,’5
In this case, the fraud was quickly discovered, and damage reports were filed with investigative authorities in the US and Hong Kong (where it is quite common for hackers to divert stolen funds to Hong Kong-based accounts).6
Nikkei, who publish the Nikkei 225 stock index, which tracks the Tokyo Stock Exchange, also stated that they were ‘investigating and verifying the details of the facts and causes of this incident,’ and that while it was ongoing, they would not provide any further details.7
Bangladesh Central Bank Heist (2016)
The Bangladesh Central Bank was a victim of a sophisticated BEC fraud attack in February 2016. The hacker got into the bank’s SWIFT software, used for sending payment orders between financial institutions. The actual attack took place on February 4, when the hacker used the credentials of some of the employees of the Bangladesh Central Bank to send 35 fraudulent money transfer requests, totaling $1 billion to the Federal Reserve Bank of New York. The destination of the funds were bank accounts in the Philippines, Sri Lanka, and other Asian countries.8
The cyber theft was not discovered until the next day when a printer in the bank printed out several queries from the Federal Reserve Bank in New York, questioning several suspicious requests. As no one had been monitoring the printer overnight, these had been missed. What followed was panic as the bank tried to determine whether any money had gone through and whether it was still possible to halt any of the transactions. It turned out that 101 of the requests had already been sent – $81 million to the Rizal Bank in the Philippines, and $20 million to Pan Asia Banking. While the bank managed to get Pan Asia to cancel the $20 million, the money that had gone to the Rizal Bank had already been withdrawn to be laundered at multiple casino accounts in the Philippines.9 The Bangladesh Bank was lucky that the hacker had made a spelling mistake on one of the requests, otherwise even more money might have been taken. Apparently, one of the transfers was supposed to go to the Shalika Foundation, but instead, the hacker had typed ‘fandation’ instead of ‘foundation.’ This immediately sparked suspicion at the Federal Reserve, who stopped any further similar transactions until it had been investigated.
At the time, it was not known how the bank’s SWIFT system was hacked. However, further investigations revealed that the initial access was through spear phishing. The hacker sent emails supposedly from individuals looking for work. Those emails contained attachments, possibly fake CVs, which were opened by employees. However, as well as a resume, the attachments also carried malware, which enabled the hacker to access the bank’s network. Once in, they were able to access the computers that used the SWIFT software and steal the credentials of the staff who operated it.10 These stolen credentials were then used in a BEC scam against the Federal Reserve Bank, even though the victim in this case was the Bangladesh Central Bank.
Who was to blame in this case isn’t clear. The Bangladesh Bank accused the Federal Reserve Bank of not questioning the high amount of suspicious transfers, while the New York Fed insists that it tried to contact Bangladesh to verify them but got no response. In addition, it was found that the Bangladesh Bank also did not have firewalls protecting its network, allowing in malware that may have compromised the system.11
Conclusion
Hackers are always ready to exploit an opportunity with social engineering and malware. These examples show that employees need to be regularly trained and tested in spotting phishing emails or suspicious requests, particularly if they involve the transfer of funds or sensitive information. Double-checking with the person who supposedly sent the email (but not by return email!) is the right security protocol in this situation, and executives should encourage their employees to always perform these safeguarding measures. Furthermore, as the Bangladesh Bank case shows, it is essential to have strong firewalls and anti-malware software to guard against the planting of malware. It’s a necessary investment in time and money but millions of dollars can be wiped out in a matter of seconds. In this case, nearly $100 million dollars vanished overnight. As only $20 million was recovered, this means $80 million dollars sits in the hands of criminals.
Executives in Norway, Japan & Bangladesh must prioritize cybersecurity awareness education as risk management. There should be legislation that strengthen data privacy, data breach penalities and governance. This will not end cybercriminals but at least help reduce the risks involved. Measures must be put in place that compel companies to invest in cybersecurity. Cyber criminals are organized, funded, and dedicated to their craft. Companies and everyday people must be too. As with all our stories at the Saya Cybersecurity Awareness team, our goal is to reach a wider audience outside of cybersecurity. We accomplish this by way of our journals, publications, Tokyo Summits, Virtual Global Forums, E-Learning library and The Saya Awareness Show. Positively transforming behavior takes time, motivation, and incentives. We are proud to be contributing to this effort to enhance security and safety to the billions that touch the internet.
—————————————————————-
SAYA University is the multi-lingual “netflix of cybersecurity” that produces original e-learning programming in a variety of languages. Saya University is on a global mission to ensure every employee in the world has access to the tools that will heighten cybersecurity knowledge. When a company is serious about protecting its organization against cyber-attacks, it will invest in cybersecurity learning for all its employees. With over 7 billion people on planet earth, we have a lot of work to do. Our multi-language e-Learning platform offers the world’s most cutting edge knowledge in cybersecurity, data privacy and compliance all in one place.
- ‘2019 Internet Crime Report,’ FBI, p.9, accessed at https://pdf.ic3.gov/2019_IC3Report.pdf
- ‘Norfund Has Been Exposed to a Serious Case of Fraud,’ Norfund, 05/13/2020, accessed at https://www.norfund.no/norfund-has-been-exposed-to-a-serious-case-of-fraud/
- Ibid.
- Ibid.
- Nikkei Press Release, 10/30/2019, accessed at https://www.nikkei.co.jp/nikkeiinfo/en/news/release_en_20191030_01.pdf
- Jeff Stone, ‘Japanese Media Giant Nikkei Says $29 Million Lost in BEC Scam,’ Cyberscoop, 11/04/2019, accessed at https://www.cyberscoop.com/nikkei-email-scam-bec-29-million/
- Nikkei Press Release, 10/30/2019, accessed at https://www.nikkei.co.jp/nikkeiinfo/en/news/release_en_20191030_01.pdf
- Kim Zetter, ‘That Insane, $81M Bangladesh Bank Heist? Here’s What we Know,’ Wired, 05/17/2016, accessed at https://www.wired.com/2016/05/insane-81m-bangladesh-bank-heist-heres-know/
- Ibid.
- ‘Anatomy of a Bank Heist, SWIFT-ly Done by Phishers,’ Pymnts, 09/17/2018, accessed at https://www.pymnts.com/news/security-and-risk/2018/bangladesh-bank-heist-swift-phishing-scam-fraud-doj/
- Kim Zetter, ‘That Insane, $81M Bangladesh Bank Heist? Here’s What we Know,’ Wired, 05/17/2016, accessed at https://www.wired.com/2016/05/insane-81m-bangladesh-bank-heist-heres-know/