February 20, 2020
The Island of Enchantment is a beautiful place, but even that can’t save Puerto Rico from an ugly reality of business email compromise, that has been confirmed to be a $26 billion scam by the FBI in 2019.
Business Email Compromise or simply BEC is a wide-spread scam facilitated by fraudulent emails that target establishments transferring high volume funds, usually to foreign countries. Those emails are designed either to gain access to email communication of the targeted company or spoof the identity of the trusted company, awaiting for the wire transfer.
While this is an effective digital attack, it relies heavily on social engineering - a malicious practice of deceiving and manipulating the actions of executives, high-ranking officials and even regular employees.
As mentioned in The Global Risks Report Survey 2020, cyberattacks are second only to extreme weather and climate action failure in aggregate threat to the global economy.
Puerto Rico, who has experienced tropical storms, hurricanes and a 6.4 magnitude earthquake would possibly find it hard to disagree with the survey. The hits just keep coming, and unfortunately, nothing seems to indicate that they will end anytime soon.
If we go back to the business email compromise attack topic, we would probably need to dig deeper into this case, and analyze the details unveiled in a Thursday AP report, claiming that the scam was eyeing up for more than $4 million.
According to the source, the compromise first affected a computer of a finance worker of the island’s Employee Retirement System. The malicious party then sent emails to various agencies, alleging bank account changes, all while pretending to be a female employee. That might be considered an inconsequential detail, but the devil hides in the details. Hackers knew exactly what they were doing while pretending to be a female online.
The more trust they can get, the smoother their scheme will go. Not like getting the answers in emails is mission impossible, quite often the bad actors can request the employee’s password sporting a lousy “IT help” moniker. That is enough to get the answers.
After compromising the account, hackers create inbox rules that hide all emails sent. After doing so, hackers answer the existing thread, from the legitimate account. From the target’s perspective, the context makes sense, and more employees are getting the "CC'd" message.
It does look genuine already.
But then they add a sprinkle of social engineering, request a sum usual to the parties, and at that point, it’s not that outrageous to fall for the bait. Especially when you’re a finance worker, who works with similar emails routinely.
While it may be possible for some to believe that this fraud model looks too basic to fool the administration and that it smells like corruption, there’s one undisputed fact that makes governments more vulnerable to this cyber phenomenon.
First of all, the emails of the government representatives are laying on the surface. As seen in the staff section on the website of the targeted company, there are fifteen emails and job descriptions publically available, and malicious actors can gather up even more information about the serving personnel on social media. Notice that the connection is not secure on the Puerto Rico Industrial Development Company (PRIDCO) website. Not related to the business email compromise, but still something to highlight.
Secondly, knowing that the basic cybersecurity training for government employees is often non-existent due to funding issues, gov figures are walking on the razor-sharp edge without even knowing anything about it.
Besides that, international cyber warfare can certainly aggravate the issues, as Advanced Persistent Threat groups can put their hand to the business of the rival country. Almost exactly one month ago we were informed about a DDoS attack on the Greek government. While this is an entirely different attack to phishing, and it harms businesses in different ways, this case proves that the political interests of others can also threaten the well-being of gov agencies.
Openly available emails, lack of training, the possibility nefarious actions of rivaling countries and a general success ratio of phishing emails are mixing up into one easily flammable material.
The one non-smug advise affected parties get is always the same.
Don’t follow the instructions in the email, and do not proceed with a transfer until you validate the request through a trusted, independent channel. Not email.
But sadly, government companies often don’t have effective policies, nor controls to protect account numbers or confirm the credentials. While transfers of that size should probably go through two or three people to get the validation, the power is in the hands of a chosen few, who have direct access to everything. A system that relies on the integrity and judgment of only one person is asking for trouble.
Knowing that the situation in Puerto Rico affects the quality of life quite severely, would someone be surprised that employees could just ignore the rules? Life is hard as it is, and people have priorities.
After revising this case, we can see that this situation is not as straight-forward as it first seems. The reputation of the Puerto Rico government may feed the theory of corruption and money funneling, but let’s agree on one thing - falling for the Business Email Compromise shouldn’t garner remarks over someone’s intelligence. If anything, the stigma of making a mistake makes BEC an even bigger threat to the corporate circle.
Let’s reduce the pressure, and abstain from creating a toxic environment. Business email compromise protection should really start from education, that is most effective in a level-headed climate.