Andrew Frey is a Forensic Financial Analyst for the San Francisco Field Office of the U.S. Secret Service, working in the Cyber Fraud Task Force. As one of the most knowledgeable people in the US Government on the threat of Business Email Compromise (BEC), Andrew works directly with companies and individuals to gather intelligence on cybercriminals behind these attacks and helps recover lost funds when wire fraud has occurred. In a recent episode of the podcast, he spoke to Tim Sadler about attacks he’s investigated, explained how lost funds are recovered and why he believes BEC is on the rise.
Listen to the whole episode, here, or read on for three key Q&As from the interview.
Why are BEC attacks growing more frequent and more effective?
I think that the answer is in the question – BEC attacks are growing in frequency because of their efficacy. BEC is an unprecedented type of cybercrime because of its enduring effectiveness. For most scams, widespread education brings their downfall – think IRS impersonation scams, lottery scams, and the Nigerian prince scam.
Those schemes are all still around but their heyday is over because most people have been made aware of them in one form or another. You also have organizations like banks and gift card retailers pitching in with warning signs or detection systems that help deter those scams with a high degree of effectiveness.
In the case of BECs there is now more education, communication, and detection technology than just about any other scam, and yet they are still very common with no sign of becoming less so. The victim pool is also very broad. It isn’t just senior executives being targeted, we now see everyday people losing down payments to their new homes through BEC, for example.
The victims also aren’t necessarily so-called ‘vulnerable’ or lacking in tech-savvy. Many victims are Fortune 500 companies – companies that most folks know by name and logo, companies with rigorous security and control. So as long as the crime continues to have success it is only going to grow.
What are the typical traits and characteristics of these attacks?
In almost every BEC case that I have worked there were red flags in hindsight. They could be as subtle as a different font or a different representative than who you have always worked with, or even a different salutation. It is very rare that when reviewing the email with hindsight you don’t spot something that probably should have caught your eye.
As for who is targeted most frequently, it is tough to say because each criminal organization probably has a favorite industry – one that they’ve spent time familiarizing themselves with to allow them to talk the talk in a convincing fashion.
I am currently working on a case where about a dozen cities and counties were hit with millions of dollars in BECs, and this is a number that is growing by the day. Victims include city police departments and even some school districts, and part of what has made them appealing targets is that so many of their suppliers and the amounts and frequency paid to them are publicly available online.
This takes a lot of the work out of the process for the criminals. In some instances, a cyber intrusion isn’t even necessary because the criminal actor could impersonate the supplier or municipality’s finance director and request payment without intrusion. Cases like this are becoming more and more common.
How do you recover lost funds? What is important to know for people who one day might be victims of these kinds of attacks?
We have a number of tools at our disposal that can help recover funds, including cryptocurrency and funds that have been wire transferred abroad, which is common these days. As a victim, the key is timely notification to law enforcement. I personally receive one to three reports of BEC a week, and the recovery rate is actually a lot better than you would imagine. I think people think BECs aren’t recoverable and that is not accurate, but timing is everything.
When I am notified of a BEC I immediately work with the relevant financial institutions to trace these funds and I won’t stop until there is a definite dead end or the money is recovered. Simultaneously we might be arranging for an exam of the victim’s network by one of our network intrusion responders to gather evidence for a criminal investigation. But really one of the best ways we help is pro-active education. We try to get out there and provide a resource for companies and institutions so that when any kind of cyber incident happens they know who to call.
In terms of more general advice, businesses need to practice good cyber hygiene. That means anti-phishing training, using complex unique passwords, and changing passwords frequently. It is also very important to prep yourself before an attack occurs by having an incident response plan with clearly outlined roles. That way, if something does happen you don’t have a half dozen people trying to figure out who to call and what to do.
For more of Andrew’s anecdotes and further discussion, listen to our Tessian Podcast episode, here. You can also visit the Secret Service website to find out more information.