Busting Business Email Compromise

Stop Business Email Compromise

In cyber security circles, Ubiquiti Networks, manufacturer of wired and wireless network devices, is infamous for more than their products.

Over a period of 17 days and 14 wire transfers in 2015, $46.7 million was transferred out of Ubiquiti’s coffers to criminals’ bank accounts based on a made-up acquisition in an elaborate Business Email Compromise (BEC) scam. The money disappeared quickly, and the transactions went unquestioned for two months. Time and effort ultimately recovered over $16 million, but lost an additional $39.1 million in professional fees, and countless amounts in reputation.

Business Email Compromise, sometimes known as CEO Fraud, accounts for a sizeable chunk of unwanted spam and fraudulent emails that, according to Kaspersky, make up about 50% of typical inbox contents. Monetary loss related to BEC is more than that of data breach, ransomware, and other malware attacks combined because targets are chosen for their high-level access to information or funds. In their 2019 report, the Internet Crime Complain Center (IC3) estimated that the loss related to BEC totaled about $1.7 billion, which was over half of all cyber crime losses recorded that year. When BEC succeeds, it makes the news.

The Ubiquiti BEC case is one of the most famous and offers insight into criminals’ methods and how to stop BEC attempts in their tracks. Even a major technology firm like Ubiquiti should never assume they are immune to these increasingly sophisticated attacks.

The Ubiquiti Scandal

May 19, 2015: New CFO of Ubiquiti, Rohit Chakravarthy receives two emails after just one month on the job. One appears to be from his boss, Ubiquiti founder and chief executive Robert Pera. Ubiquiti later explains that their own email systems were not compromised, but the email that Chakravarthy receives has all the appropriate indications he sees in in communications with Pera. Faux-Pera explains that Ubiquiti is in the process of a new, confidential

As expected, Chakravarthy receives the first of several emails that appear to be from Latham & Watkins lawyer, Tom Evans. The only thing that seems to be off about this communication is that the email address used is from “consultant.com,” but with the rest of the story matching, Chakravarthy follows the instructions, overruling standard industry procedure and, based on all reports, acts alone.

Over the next 17 days, Chakravarthy makes 14 wire transfers to accounts around the world, in places like Russia, China, Hungary, and Poland. These payments total $46.7 million.

June 5, 2015: The real Robert Pera receives an email from the FBI. They’ve been monitoring one of the accounts Ubiquiti has paid into, and they inform Pera that Ubiquiti has become a victim of business email compromise. This is the first he has heard of these substantial money transfers. The company works with one of their banks to begin legal proceedings and quickly recovers $8.1 million.

August, 2015: Ubiquiti discloses the scam and the money involved to the press. No names are shared at this point, but Chakravarthy resigns.

2016: Ubiquiti has recovered a total of $16.7 million.

2020: It does not appear that Ubiquiti has recovered any additional funds, but has lost at least an additional $39 million in fees and bears the unfortunate reputation as a cyber security risk.

Identifying BEC

In a 2016 (but still relevant) public service announcement, the FBI identified five recognizable types of BEC scams to watch out for:

  • The Bogus Invoice Scheme/Supplier Swindle. Closely matching form and function of known invoices and services, a fraudster—masked as a long-standing supplier or partner—sends an invoice or updated instructions for payment into a new account. The victim is accustomed to fulfilling payments and often does so without question.
  • CEO Fraud/Wire Fraud. A high-level executive’s email account is compromised through hack or spoofing. This account sends a request for wire transfer to another employee within the company who makes these payments as part of their normal duties. The impersonated executive requests that the payment be made to a different account than normal and provides an excuse that seems reasonable.
  • Email Account Compromise. An employee’s email account is hacked. This is used to send invoices and payment requests to vendors who are already on the employee’s contact list. The business may be completely unaware of these requests unless a vendor becomes suspicious.
  • Attorney or Executive Impersonation. The attacker pretends to be from a partner organization or legal firm, one with known connections to the business. The message emphasizes confidentiality and urgency, and might be timed for the end of a business day or work week, forcing the victim to act quickly.
  • Data Theft. An attacker uses social engineering to target human resources or bookkeeping departments to obtain W2 forms and other personally-identifying information (PII). This information can be used for tax fraud or to hone in on other attacks. These attacks are often combined with Account Compromise, making the victim think that the request is coming from a legitimate source.

Preventing Your Own Ubiquiti

Building and enforcing standards that require checks and balances when sending any money over a certain amount, as well as employee and client data, can circumvent BEC as a matter of course.

  • As a company, set an acceptable dollar amount for solo-authorized transfers. Any requests over that amount should require second approval via different means of communication. Hitting reply on an email may go back to the criminal’s account.
  • Any email involving something as important as a company acquisition, merger, million-dollar payment, or PII warrants a follow-up phone call. Build a policy where this is standard, so the recipient knows to expect it in the event of a legitimate request. Don’t just click on phone numbers provided in emails; maintain a master company directory for approvals. If the request comes from a vendor, use contact information from previous billing or that is publicly available on their website.
  • Enable 2FA/MFA on all accounts, ensuring that the only one accessing your accounts is you. Never provide anyone with these access codes. Include this in official policy.
  • Undergo annual, company-wide, and at-hire cybersecurity training. Emphasize the best practice of asking questions of peers and superiors, and enable a direct line of communication with IT.

Any question or concern addressed before clicking a link could be the one that stops a BEC attack and saves your company millions, not to mention maintains your reputation.

Is it time to partner with trusted IT experts to address cybersecurity as the viable threat it is to your business? Contact us for a cyber security/infrastructure audit or employee awareness training.

Want to read more about the Ubiquiti scandal? The following sources provide further insight.