How BEC Scams Target Financial Services Companies

Worried Latin woman having problems with mobile phone

Previously, business email compromise (BEC) attacks targeted organizations’ finance departments and vendors to redirect payments to their accounts. However, recent surveys show an increase in attacks against financial services companies in a trend and proportions not witnessed before. 

The methods are not different except that the latest foray into the financial services is new and has sent jitters into the sector that was thought to have better cybersecurity protocols. CFOs continue to fall for spoofed emails and authorize wire transfers that cost their companies millions of dollars, as illustrated below.

Xoom Corporation

The Xoom Corporation, owned by Paypal, is a remittance service provider facilitating electronic money transfers by which customers pay bills, send money to others, and reload their mobile phones. As the world transitions to these cashless digital transactions, fraudsters have seen an opening to hit financial service providers through BEC scams, and Xoom Corporation suffered the brunt.  

Cybercriminals duped the financial services company’s finance department into wiring $30.8 million in cash to their overseas accounts using spoofed email communication. The consequences of this loss were the resignation of the CFO and a massive drop in company stock by the same margin of nearly $31 million or about 14%, although the company recovered sufficiently to stay viable.

Cetera entities pay for BEC attacks

Five financial services firms operating collectively as the Cetera Entities suffered sanctions from the Securities and Exchange Commission (SEC) for failure to protect client data from a hostile takeover. The SEC charge indicated that unauthorized third parties (read hackers) took over cloud-based email accounts of 60 Cetera employees containing 4,388 clients’ personally identifiable information (PII). 

Whereas personally identifiable information (PII) is essential in digital payment solutions, in the wrong hands, it can support the opening of fraudulent accounts in one’s name or even the theft of their identity. The email account takeover and its implications to customers cost Cetera Entities $300,000 in penalties to SEC besides restitution to affected clients.

Cambridge investment group penalized

The Cambridge Investment Group suffered the same fate as Cetera and paid $250,000 in penalties to SEC for laxity in enforcing cybersecurity policies in their business. Between 2018 and 2021, hackers took over 121 email accounts belonging to Cambridge Group’s representatives and contained personally identifiable information (PII) for 2,177 clients. 

Cambridge was censored for not taking remedial action immediately. The first attack was reported in January of 2018, leading to further clients’ data exposure until 2021 that could have been mitigated. The laxity in enforcing data security measures may have put their customers and clients at risk of identity theft and loss of cash to scammers.

KMS financial services sanctioned over BEC attacks

KMS Financial Services fell in the same business email compromise (BEC) trap when fraudsters breached and took over email accounts belonging to 15 of the company’s advisors. This breach led to the exposure of nearly 4,900 personally identifiable information (PII) entrusted by clients and customers to KMS for official use in the course of their business relationship. 

Securities Exchange Commission faulted KMS for failing to institutionalize policies and procedures to enforce firm-wide security measures even after the first attack in 2018 until two years later in august 2020. This lapse in security preparedness against cyberattacks cost KMS $200,000 in penalties for failed fulfillment of obligations as a Financial Service provider to their clients and customers.

The ‘Florentine banker’ BEC scam

Three Israel and UK-based international finance sector services firms that handle large sum cash transfers between partners and third parties were scammed by BEC back in 2019. The firms were about to lose £1.1 million when a swift intervention with the banks salvaged £570,000 while the fraudsters made off with the rest. 

Known as the Florentine Banker, the fraudster took time to infiltrate the firms’ key personnel taking over their email accounts to study content and communication patterns before launching the attack. Operating from within the compromised email accounts, the hackers could change, vary, and conveniently provide alternative instructions to reroute funds to their accounts without internal suspicion.

The Carbanak malware attack

Perhaps the largest and most devastating cyberattack on financial institutions, including banks, is the Carbanak that first appeared in Eastern Europe. The Carbanak malware is first introduced into a bank’s computers through a CPL attachment on a spear-phishing email that executes a shellcode upon opening.

The process then installs a Carberp based backdoor, today identified as Carbanak, through which the hackers access the bank’s network systems at will and rewrite operating instructions such as those running ATMs. The cybercriminals can then wire money out through SWIFT protocols and have ATMs dispense cash remotely for collection by mules.

The Robinhood data breach

In late 2021, a fraudster socially engineered the firm’s customer service representative through a vishing scam to gain access to customer data systems. Despite securing its systems immediately upon discovery of the breach, personal details of 310 customers that comprised email addresses, full names, zip codes, and dates of birth were exposed to possible fraudulent use by criminals. 

10 of these customers were said to have had “more extensive account details revealed,” according to Robinhood, who insisted that social security numbers were secure. Robinhood claimed the hacker attempted to demand an extortion payment for the stolen customer data, but the company notified authorities instead.

The Russian-linked TA505 RAT threat to banks

The Russian TA505 has been around since 2015, evolving and deploying different methods for infiltrating banking systems, initially using spear phishing to deliver RMS Trojans. These malicious campaigns gained access to target financial institutions worldwide using the remote manipulator system (RMS) delivered through phishing emails with weaponized Word documents. 

The harmless-looking Word document would be carrying a Visual Basic for Applications (VBA) macro to download a package from the command and control server and activate the RMS RAT. The use of weaponized Microsoft Office files to deliver VBA macros makes this campaign a slippery one for employees to guard against, and that explains its malevolent success globally. The trick is that once installed on target computers via MS files, the RMS RAT appears as a legitimate app and goes undetected by protection software.