With apologies to Led Zeppelin fans: The (BEC) Song (Still) Remains the Same

Almost three months have passed since I last updated you on the Business Email Compromise scam, also known as the CEO Fraud scam. Though the volume of these attacks remains high, the information security community has continued to collaborate well regarding this type of fraud, preempting the transfer of millions of dollars and identifying numerous mules in control of bank accounts around the world.

Just last week, yet another phisher tried to phish PhishMe. Our CTO, Aaron Higbee, reported on early attempts in September 2015 when he also described the use of PhishMe Reporter to phish-back and collect details of the phisher’s IP address and user-agent.

Since that time, we have seen repeated attempts against our CFO, Sam Hahn, where he receives messages impersonating our CEO, Rohyt Belani. These messages seek to engage Sam in an exchange regarding an urgent request to make a wire transfer.  Of course, such wires would be fraudulent, but, amazingly, the phish-back technique almost always works.  It has resulted in the identification of as many as five mule accounts at five different banks for one potential transaction.

The Song

With this latest attempt against PhishMe, the phisher has apparently used social media and/or search engine results to identify the name and email address of a staff accountant who reports to Sam Hahn, bypassing Sam’s renowned phish-spotting skills.  But the phisher’s email message landed with another trained reporter at PhishMe, who submitted the message as Suspicious, using the PhishMe Reporter button.  The report fed into our internal PhishMe Triage where we could quickly see that the accountant has a high Reputation Score, indicating that she is good at spotting truly-suspicious messages.  We knew that we should have a look right away at her report, shown in Figure 1 below.  The subject line of the message was the accountant’s first name, and the salutation included her first name.

Figure 1  Initial message from BEC phisher

Then our incident response plan kicked in, and we asked the accountant to reply with an offer to help, as seen in Figure 2 below, where he responded right away with his plea for money to cover a secret international acquisition.  (Ah!  The Intrigue!)

Figure 2  BEC phisher makes plea for a wire transfer

In her response to that second message, our astute accountant indicated that she would need someone else to sign off on the wire transfer, “since it is an international wire.”  She actually copied our incident response team, which later provided a wire “confirmation link” to the phisher.  Figure 3 below shows the third message from the phisher, where he sent wire instructions to the accountant.

Figure 3  The BEC phisher sends wire transfer instructions

Once the mule account was revealed, it was reported to the bank, and our accountant’s associate sent a “confirmation link” that, when clicked by the phisher, revealed the phisher’s physical location.  From the phisher’s point of view, the link re-directed to the login page for the bank hosting the mule account.

The phisher must have been convinced that the wire transfer had been made because the next morning, twenty hours after the initial request, he came back for more.  In Figure 4 below, you can see where he hit up our accountant’s associate (really, our incident response team member) for a double dip.

Figure 4  The BEC phisher returns the next day to request more money

The final part of that thread included instructions for a $165,590 wire, details of an account at a second bank, and a request for a confirmation.

The Investigation

Beyond reporting this to the U.S. government’s Internet Crime Complaint Center at www.ic3.gov, our researchers wanted to dig deeper and document this phisher’s other activity.  It turns out that the lookalike domain name phislhme.com was registered at 1&1 Internet SE on December 15th –the same day as the first spam message to PhishMe, using the email address garyrabine@rabinagroup.com.  When we initially looked into whether that same email address had been used to register other domain names, we found 69 other idomain names, all registered within the previous week and all seeming to be misspellings of domain names in use by real companies.

We took the list of domain names and guessed at which real company each domain was meant to imitate.  We then notified the administrative contacts of record for those legitimate domain names.  Though there was a handful of bounced messages, four companies replied with appreciation, and, so far, one has responded that their company had also received a BEC phishing email.

We checked back again this week to see how many domain names have been registered with 1&1 by this threat actor, and now there is a total of 156 domains.  We notified 1&1 on December 19th and requested that all the names be de-activated.  (see list at this link)


Though the song remains the same, phishers are constantly evolving their tactics to lead to more success.  In this recent attack, the phisher did not use the word “urgent” or “wire” in the subject line of the email message.  He also opted not to try for the CFO again; he likely found our accountant’s name and email address online and contacted her instead, possibly in hopes that she would feel a sense of urgency to which our CFO has become inured.  Then, when we saw the plea for money, we knew a bit more about why the phisher may have opted to avoid our CFO—it was a secret deal that only the “CEO” could know about.

We also want you to understand that this does not just affect large companies.  Because this scam has been going on for years, some of the larger targets have already been hit, and some have learned very hard lessons.  And with over 150 companies of all sizes spoofed by this one phisher and almost a full day between the two wire requests we received, we think this phisher is very busy.

PhishMe also wants everyone to understand how simple but effective these scams can be.  Learn how to spot them, and make sure your employees are great reporters.  Your staff needs to know that raising a red flag to the appropriate team can make all the difference in the world to your company, preventing the loss of hundreds of thousands of dollars and helping us stamp out this fraud.

The (BEC) Song Remains the Same

I had a dream, a crazy dream, that we stopped responding to ridiculous email messages demanding that a wire be sent immediately.  Also in that dream, all the bad guys were caught and had to pay restitution and go to jail.

While that second part may never happen, there has been definite progress toward the dream goal and there are definite steps to take to ensure that you – and others in your company – do not fall victim to a BEC email.

Coordinated by the National Cyber-Forensics & Training Alliance (NCFTA), contact information and incident details are being swapped quickly in the business and financial communities, allowing wires to be successfully recalled from far-flung places, facilitating the identification of fraudster activity, and preventing additional victimizations.  However, the typical scenario involves the disappearance of money into the hands of criminals much faster than the victim realizes that they have made a grave mistake in acting upon a fraudulent email message.

The FBI has now released three major advisories* regarding the Business Email Compromise scam.  The below charts illustrate how the estimated number of victims and the estimated volume of dollar losses have increased dramatically with each Public Service Announcement.


chart-2And, though the Internet Crime Complaint Center (IC3) first noticed an uptick in related complaints in October 2013, the ruse has been a common one in Europe for even longer.  A fellow security researcher in France, where they call this ‘The President’s Scam’, has been closely tracking a certain group since 2011.

The most common sequence of events is that a C-level employee email address is either compromised or spoofed in order to send a convincing message to someone in the company with the authority to send a wire.  It appears that oftentimes the fraudsters have done their homework on who’s who also, gleaning names, titles, and even travel schedules of executives from social media accounts.  We have shared examples before; just over a year ago, PhishMe CTO, Aaron Higbee, described an attempt against PhishMe.


Also around this same time last year, Centrify CEO, Tom Kemp, detailed EIGHT different attempts against his company, which itself provides multi-factor authentication services.

Unfortunately, the number of victims continues to rise.  Think about it…every business is a potential victim; so, until everyone knows how to spot this scam, we will keep hearing more horror stories.

The following are some things to keep in mind when you review an email asking you to move money on behalf of your company:

  1. Is the message really from the person that it appears to be from? Review the headers carefully. What is the reply-to address? Was the message actually sent from a lookalike domain name, such as PHlSHME.com with the letter L in place of the letter I?
  1. Does the tone and writing style of the author match what you know of the purported sender of the message?
  1. Are you being asked to reply directly to the message, instead of crafting a new email message? Are you being pressured to keep the transaction to yourself for some reason? Does the email message have a strong sense of urgency?
  1. Is there a link to click or an attachment to open, supposedly containing the wire instructions? As part of this scam, wiring instructions are typically sent to the victim in a subsequent message, after they have initially hooked you into responding.  Usually they are in the body of the follow-up message, but sometimes they are in a PDF attachment.
  1. Don’t think that the receiving bank will necessarily be overseas. Money mules in the United States are operating domestic bank accounts, helping to launder the money while sometimes thinking they are performing a legitimate work-from-home service.
  1. Be willing to stand your ground when something seems ‘off’ about a request. Demand that you personally speak to the person requesting the urgent wire transfer.  When you save the company millions, the CEO will be glad you bugged her for a moment.

And below are some Action Items that you can take today to help prevent becoming the next victim:

  1. Enable two-factor authentication on your email account. If your email provider does not offer this, change providers.
  1. Establish a DMARC record on your company domain so that messages spoofing your real domain do not get delivered.
  1. Use different passwords for each online service; use a password manager if needed.
  1. Require dual approval and out-of-band authentication for all wires. Understand that wire transfers are one of the most risky transactions and usually cannot be recalled because they are designed to provide immediate access to and an irrevocable settlement of funds.
  1. The PhishMe Simulator/Reporter combination conditions your employees to spot and submit fraudulent email messages. Contact PhishMe to sign up for Simulator and Reporter so that you can start shoring up your first line of defense.

If you realize that you may have fallen for this scam, call your bank immediately.  Also call your local FBI office and ask for assistance (Find contact information here.) Even if you never wired the money, report the attempt by filing a complaint form with IC3 because this helps the NCFTA track and correlate attacks, improving the likelihood of an eventual prosecution.

*Links to the full FBI PSAs:

New Tactic Bypasses Existing Security Controls – Most Recent PayPal Phish Reveals Stealthy HTML Attachment

Incident response is always a cat and mouse game.  Organizations spend heavily on people and technology to help protect their enterprise, while threat actors continue to find new and unique ways to bypass those controls.  We’ve seen this trend continue over time, whether it be with the shift to MHTML files by Locky or the delivery of malicious PowerPoint show files.  The PhishMe intelligence team has noticed another change, this one by the actors who are phishing for login credentials, and their tactics reveal that they are actively working to bypass security controls.

Tax Time is Phishing Time: Here’s How to Help!


The IRS has a very active security team, currently part of the U.S. Treasury Inspector General for Tax Administration (TIGTA), that is responsible for fighting phishing and tracking down the criminals who prey on U.S. tax payers.  If you believe you have received a Phishing email, please help them by reporting the email you received to phishing@irs.gov.  Additionally, please also consider sending a copy to our team.  PhishMe Brand Intelligence automatically processes any URLs found in emails sent to Report@phishIQ.com (not just IRS phish – we love gathering global intelligence on all phish).