New Variant of BEC Seeks to Divert Payroll Deposits
Payroll Diversion Scams Attempt to Steal Employee Pay
Business Email Compromise (BEC) is a specific category of spear-phishing aimed at diverting corporate funds into criminal bank accounts. The archetypal attack pretends to be an email from the CEO or CFO requesting that the finance department should urgently transfer a specific amount of money to a false destination. The social engineering aspect comes in the argument of the email designed to get the target to transfer the money quickly and without thought.
BEC has been hugely profitable for the criminals. It combines relatively little effort with high rewards and minimal risk. In July 2018, a report from the FBI’s Internet Crime Complaint Center (IC3) estimated that global losses already exceeded $12.5 billion, with most of the stolen money being transferred to Asian banks in China.
Now the Agari Crime Intelligence Division (ACID) has detected a new trend in BEC. In a report published today, it describes a move towards adding fictional accounts to company payrolls in order to siphon off smaller, but continuous, amounts of money.
“Assuming the identity of the CEO seems to be the preferred tactic for the threat actors,” writes ACID, “but there is no reason that this type of attack cannot utilize the identity and role of any employee within a company.” There is a trade-off here: assuming the identity of a senior official within the target organization will lead to the highest single payout — but is likely to be quickly discovered and remedied. Low-level employees will also be discovered after a single smaller amount — but if it is possible to ‘invent’ an employee, that income could continue for some time.
The primary target for this type of scam is HR, since HR often handles payroll and benefits. The attacker assumes the identity of an employee, and asks for his or her paycheck to be sent to a new account.
In an example cited in the report, the email body simply says, “I have recently changed banks and like to have my direct deposit changed to my new account.” So far, this is a typical email scam: it has a plausible argument; it has urgency built-in (the need to get it done before the next payroll run); and it has an element of fear (fear of upsetting the employee and generating additional work if the check goes to the wrong bank).
From here on, however, the scam diverges from traditional BEC and one-off phishing emails. The attacker needs to engage with HR. In this instance, HR wrote back asking for further information: “…please submit a voided check or something on bank letterhead showing routing and account number.”
Part of the scam is to persuade HR that the attacker legitimately cannot supply the requirements at this time. Here, the attacker used an iPhone with the standard message ‘Sent from my iPhone’ at the end. He writes back, “I don’t have any of that in my possession right now unless I request for one from the bank, should I send my new direct info and you can effect the change.”
In this instance, HR fell for it, and wrote back, “Yes please send it to me and I will get it taken care of.”
“By avoiding third-party systems and asking for help from the human resources employee, the threat actor can control the entire situation and successfully divert pay into the fake account they own,” writes ACID. “Depending on how the real employee checks their bank account, this scheme can continue for weeks, or even months, before the attack is caught.”
The key to all forms of BEC is believability. The scam email must appear to come from the right source and be sent to the right destination. “These criminal gangs,” says the report, “have invested a great deal of resources into researching and establishing organizational hierarchies.” This involves knowing staff positions and email addresses; and most of this information is readily available from either social media or previously stolen personal data available in underground forums.
IBM published details in February 2018 that describe a phishing campaign to a target a company’s internal and external contacts, redirecting the victims to fraudulent DocuSign portals. From here they stole genuine single factor credentials that could be used to deliver the BEC attack. This then “specifically targeted personnel involved in the organization’s accounts payable departments to ensure that the victim had access to the company’s bank accounts,” noted IBM.
ACID’s advice to HR — or any department that handles payroll — is to not take an email as gospel. “We recommend ensuring an element of human contact is established before completion of the request.” So, for example, if requests come in via a mobile phone, call them back on the numbers stored on-line, and verify the requests.