Operators need to protect themselves from cybercrime

We’ve all heard about businesses that are victims of cybercrime, but we never think it will happen to us.

But as one motorcoach operator recently learned, it can happen to anyone who isn’t constantly alert to the threat.

“I got a call from the office,” the operator said. “My partner says, ‘I processed that wire transfer for you.’ I said, ‘What wire transfer?’ There was a long pause . . . we both realized we had been hacked.”

An elaborate, long-planned scheme had extracted $48,000 from a successful, sophisticated carrier operating more than 75 motorcoaches. It was a textbook example of “business email compromise” (BEC), which has become a billion-dollar industry, the Federal Bureau of Investigation reports.

Two other motorcoach companies covered by this operator’s insurance carrier had been hacked previously in BECs, he was told.

Scammers swiped $346.2 million from 3,044 companies in BECs executed from June through December 2016, the U.S. Internet Crime Complaint Center (IC3) reported.

In 2015, federal investigators logged 7,837 business email compromise crimes and ranked them 17th among sub-categories of cybercrime. In dollars lost, however, BEC was the most harmful sub-category in 2015, accounting for $246 million of $1.1 billion in total U.S. cybercrime losses.

The BEC scam “continues to grow, evolve, and target small, medium, and large businesses,” IC3 stated in an annual update released May 4. “Between January 2015 and December 2016, there was a 2,370 percent increase in identified exposed losses.”

Outside the U.S., international law enforcement authorities reported $448.5 million in BEC thefts from 774 businesses in the last half of 2016.

From October 2013 through the end of last year business email crimes had taken $5.3 billion from 40,203 companies around the world.

“I never thought something like this was possible,” said a principal for the hacked motorcoach carrier. “It was very hard to understand how something like this could happen.”

He declined to be identified but shared his story as a warning to other motorcoach operators.

“You think, ‘How could I be so stupid?’ You feel like an idiot. Then you realize what went into planning this. We were probably monitored for quite a while. You don’t realize how easy this is. It happens that quick — Boom! Gone.”

The IC3 identifies common characteristics in BEC thefts, including:

  • Individuals responsible for handling wire transfers are targeted.
  • Spoofed emails very closely mimic a legitimate email request. Fraudulent email requests for a wire transfer are well worded, specific to the business being victimized, and do not raise suspicions to the legitimacy of the request.
  • The amount of the fraudulent wire transfer request is business-specific. Dollar amounts requested are similar to normal business transaction amounts so as to not raise doubt.
  • Fraudulent emails received have coincided with business travel dates for executives whose emails were spoofed.

This motorcoach carrier’s theft was executed after considerable spying on its business practices, the identities of principals empowered to execute wire transfers and even a principal’s travel schedule.

“We do wire transfers several times a week for vehicles, parts, insurance and fuel,” the partner said. “We have a daily limit, but we have moved over $100,000 at times. This amount was not out of the ordinary for us.”

The criminals’ timing also demonstrated inside knowledge, he said.

“I was out of town at a meeting. I got a phone call just as I walked into a meeting. I didn’t answer but I emailed my partner and never heard back.”

His email was not received back at the office, but a spoofed email was delivered there.

“This email conversation occurred between an unknown party and my business partner, coming from my email address with my iPhone as the signature,” he said. “They knew the exact moment to drop this. They knew I was gone, and more importantly they executed it between the only two people in the organization who can make money move.”

Later in the day the partners realized they had sent $48,000 to parts unknown. It was 6:10 p.m.

“I immediately called my personal banker and set up a fraud alert,” the partner said. “A couple of weeks went by and we did not hear anything. Eventually we were able to recover $21,000 that was still in the account. Another $9,000 is still at another bank.”

His bank’s investigation traced the first step of the wire transfer’s journey.

“We clearly know the money was sent to a person in California. That is just the mule — like the idiot you find in the airport to carry your package through customs for you.”

As far the intended final destination of the money, he said, “The emails appear to come from Nigeria, but it is not clear whether they came from Nigeria or were just made to look like they came from Nigeria.”

Two months after the scam occurred, the motorcoach operators had not heard anything from the FBI.

“Apparently there are bigger fish to fry,” the partner said. “Fraud is so rampant — you can’t turn on the news without hearing about some big company being hacked.”

IC3 defines business email compromise as a scam “carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.”

The center, in its May 4 update, said most thefts are made through wire transfers but can be executed by check.

“The fraudsters will use the method most commonly associated with their victim’s normal business practices. The scam has evolved to include the compromising of legitimate business email accounts and requesting Personally Identifiable Information (PII) or Wage and Tax Statement (W-2) forms for employees, and may not always be associated with a request for transfer of funds,”  IC3 warned.
BEC victims “range from small businesses to large corporations” and “deal in a wide variety of goods and services, indicating that no specific sector is targeted. It is largely unknown how victims are selected; however, the subjects monitor and study their selected victims using social engineering techniques prior to initiating the BEC scam.

“The subjects are able to accurately identify the individuals and protocols necessary to perform wire transfers within a specific business environment. Victims may also first receive ‘phishing’ emails requesting additional details regarding the business or individual being targeted (name, travel dates, etc.).”

Federal investigators say BEC criminals also may utilize other online frauds, “including but not limited to romance, lottery, employment, and rental scams. The victims of these scams are usually U.S. based and may be recruited as unwitting money mules. The mules receive the fraudulent funds in their personal accounts and are then directed by the subject to quickly transfer the funds to another bank account, usually outside the U.S.”

Business email crime victims have been reported in all 50 states and in 131 countries, according to IC3. Fraudulent transfers have been sent to 103 countries but primarily to China and Hong Kong. Financial institutions in the United Kingdom also are prominent destinations.

The scammed motorcoach carrier immediately changed its banking procedures.     “We required dual authentication so there isn’t one person who can move money,” the partner said. “Then we did a top-to-bottom assessment of our network security.”

Simple, predictable employee email addresses were replaced with more complex addresses. Important activities were transferred to different computer ports with password lockouts. An outside information technology company was retained to review procedures. The carrier’s current IT provider may be replaced with another that is capable of greater security procedures.

The theft was executed so smoothly, the partner said, “Initially we thought it was an inside job. We quickly recognized that the emails did not come from an internal Internet provider address.”

This operator’s advice for his peers? “Be aware and be afraid. Consider hiring a firm to do a network penetration test and find out how somebody might be able to get in.”

Two months after the theft was executed, the carrier was still awaiting the return of the $9,000 that was caught at another bank before it was shipped overseas.

And another hack popped up.

“We found a laptop in our shop yesterday the mechanics use for diagnostic purposes — it had ransomware script embedded in it. We immediately shut it down and took it to our IT vendor for scrubbing.”

Share this post