Today’s digital frontier is reminiscent of the days of the Wild West. Cyber criminals are calling the shots in this modern day, blazing new trails of increased sophistication in cyber crime and benefiting unscrupulously off the backs of naïve victims who seldom realize what struck them until it is too late.

These cyber criminals are always pushing the limits of organized crime and devising new methods to extend their operations and revenues. They devise plans in the digital realm that span practically all facets of conventional crime, including fraud, extortion, theft, hijacking, and even blackmail, long before law enforcement and security experts are able to detect and finally catch up with them.

It is not surprising, then, that most of us can now say goodbye to the phenomenon of traditional 419 scams, which is slowly fading into obscurity, and hello to the future of a much more insidious form of email scam that employs the use of social engineering, malicious software, and computer intrusions, known in the information security community as Business Email Compromise Scam.

Yes, you can forget about these extinct forms of traditional 419 scams, in which you typically receive an email from a widow or self-styled investor relation party promising you a large payout, usually in the millions of dollars, in exchange for your assistance in transferring funds belonging to a deceased wealthy corrupt government official or other notable public figure.

The style of a typical 419-email scam preys on our weaknesses as human beings who naturally assist one another by using deceit and playing on our vulnerability to our desire to move ahead in life by giving us a get rich quick scheme.

Today, though, most of us would recognize a classic 419 from a mile away. To put it mildly, these emails frequently land in your spam folder if you utilize an email hosting provider with simple spam and email screening settings.

What is Business Email Compromise?

Business Email Compromise (BEC) is defined by the FBI as a sophisticated fraud that targets firms who engage with international suppliers and make frequent wire transfer payments in return for large amounts of commodities. These schemes, formerly known as Man-in-the-Email scams, infiltrate official company email accounts in order to make unlawful financial transfers. Between October 2013 and August 2015, BEC scams cost US victims approximately $750 million and harmed over 7,000 individuals. Globally, fraudsters stole more than $50 million from victims outside the United States.

Business Email Compromise (BEC) offenses outnumber all other categories of crime by far. These scams are financially motivated and rely on social engineering strategies to target company email in-boxes, resulting in financial loss owing to unlawful transfers of cash into phony destination bank accounts.

There are three types of BEC scams.

Version one

This variation, on which I will concentrate heavily throughout this article, is also known as “Invoice Modification Fraud,” “The Buyer Swindle,” and “Invoice Modification Scheme,” and often includes a firm that has an established connection with a supplier. The fraudster inserts himself into the email conversation and requests that the buyer transfer money for invoice payment to a different, fraudulent recipient account using a fake or spoofed email. A faked email is a forgery of an email that assumes the identity of a real entity, in this example, the provider.

Version two

In this form, the fraudsters pose as high-level executives (CFO, CEO, CTO, and so on), attorneys, or other sorts of legal representation and claim to be handling secret or time-sensitive problems before initiating a wire transfer to an account they control. In certain situations, the fraudulent wire transfer request is submitted straight to the banking institution with instructions to deliver money to a bank as soon as possible. This fraud is also referred to as “CEO Fraud,” “Business Executive Scam,” “Masquerading,” and “Financial Scam.”

“Wire Frauds in the Industry.”

Like the previous two variants, an employee’s email account is hijacked and then used to send invoice payment requests to fraudster-controlled bank accounts. Multiple email messages are sent to suppliers recognized from the employee’s contact list. The company may not be aware of the strategy until its suppliers contact them to inquire about the status of the invoice payment.

Threat Intelligence for Invoice Payment Fraud

Threat intelligence is essentially situational knowledge of a certain sort of threat, including the threat actor’s approaches and tactics. This section will attempt to explain the dangers of invoice modification fraud.

There are many incidents involving invoice payment fraud schemes, and this variant of the BEC scam in the MEA area. This is most likely owing to the structure of the region’s commercial and economic environment, which, dare I say, comprises mostly the importation or export of raw materials and supplies utilized in manufacturing, agriculture, and other small and large-scale processing units.

Small and medium-sized enterprises often drive these economies, as opposed to the service-based economies of more advanced industrialized nations, which revolve around larger, more established corporate players. According to my data, these larger players are more vulnerable to BEC scam versions 2 and 3.

When combined with a lack of understanding of the hazards of cyber security threats, as well as a lack of fundamental cyber security hygiene and security practice, this offers the ideal playing field for cybercriminals, who concentrate more attacks on the area through invoice alteration fraud schemes.

This will be our primary emphasis in the next sections since this scam has the greatest potential to affect many small and medium-sized firms that meet the invoice alteration fraud requirements. Several the recent invoice fraud schemes our firm has worked on have included organization’s that have suffered losses of up to $100,000 in an instant.

What Causes Invoice Payment Fraud?

This involves a complicated series of events that only businesses with supplier relationships and who are more familiar with these types of wire transfer transactions can easily relate to and hopefully understand how the attackers will patiently wait, observe, and then strike at the opportune time to scam their victims out of large sums of money.

To score a large pay-out, the attackers behind these scams use intrusion techniques to attack and gain access to email servers and business email accounts with weak security configurations and sit man-in-the-middle style, intercepting and redirecting email messages between buyer and supplier business email exchanges.

Once inside a hacked mail server, they look for high-value transactions in the pre-order stage. Another strategy employed by cyber criminals is to convince workers to click on malicious URLs, which are then used to download and install a key-logger, a device that records keyboard strokes on the victim’s computer.

Once the keylogger software is installed, the attackers use a message feedback mechanism to alert them when specific keywords such as ‘invoice,’ ‘purchase order,’ and so on are observed from the victims’ keystrokes in order to identify high-value transactions in the pre-order phase that are moving to the payment confirmation stage.

Typically, in these sorts of transactions, customers submit a purchase order for items to the seller’s business email account, and the seller responds with an invoice and payment instructions.

The fraudster will try to determine who initiates wire transfers and who requests them by monitoring the compromised email account or recorded keystrokes, which will obviously reveal the username and password of business email accounts by recording every single keystroke of the victim’s infected computer.

After determining all of this, the attacker clones both the buyer and seller’s email addresses, typically creating a new address that is slightly different but similar to the company being targeted, in order to spoof emails that convince the target that they are dealing with the other legitimate party.

One critical point to notice here is that they will change the email return route or return address to send answers to their own attacker-controlled email accounts, where they will then edit the message and forward it to the intended recipients from the faked email account.

An Actual-Life Example

A basic example of the email spoofing method utilized by these hackers on a fictitious organization called ABC Inc. who is in the business of producing plastic chairs. Let’s say that the victim whose email was compromised is a sales representative from ABC Inc. whose email is

The attacker would create a new email account at a different domain and impersonate Sandra’s business email address with sandra.samson@abc!, which he would insert into ongoing buyer and supplier related communications from which he would receive information from the supplier firm from whom Sandra was engaged in seeking to import raw materials for production.

The attackers may then edit the invoice by changing the bank account numbers, and SWIFT codes of the supplier company to receive the fraudulent transaction. After changing the destination account in the invoice document to a false destination bank account by claiming that their accounts are presently being audited, for example, they convey this new instruction to the buyer in this case Sandra, who wires money to the attacker-controlled fraudulent account instead of the supplier.

Defending Yourself Against the Scam

Businesses should be watchful and educate their staff on how to avoid becoming a victim of BEC scams and other similar assaults. It’s critical to understand that hackers don’t care about the size of your firm – the more victims, the better. Furthermore, cyber criminals do not need to be extremely skilled since the cyber criminal underground has tools and services for all levels of technical competence. As the globe becomes increasingly reliant on Web services such as webmail, it may only take a single stolen account to steal from a firm.

As a result, here are some suggestions for being safe and secure:

Install and keep up-to-date anti-virus software, and utilize a third-party email hosting firm that offers a secure mail infrastructure with email filters to limit some of the phishing traffic and possible malware infections.

It is highly advised to utilize the “Forward” option rather than “Reply” or “Reply All” so you may write your contact’s email address and guarantee that the proper address is used rather than the attacker’s forged phony email address.

Employees must be educated and trained in cybersecurity awareness. While people are a company’s most valuable asset, they are also its weakest link when it comes to security. Commit to training staff in accordance with the best practices of the firm. Remind them that following business regulations is one thing but creating strong security practices is something else entirely.

Use phone verification as part of two-factor authentication to confirm any changes in supplier payment and destination bank account data. Confirm money transfer requests by dialing recognized company lines and speaking with familiar or confirmed backup staff.

If you feel your bank accounts have been hacked, contact your financial institution immediately and cancel any compromised accounts.