Expert On Insta Star Used BEC Fraud Attack to Steal £100m from Football Club

By   ISBuzz Team
Writer , Information Security Buzz | Jul 06, 2020 01:56 am PST

It was reported over the weekend that an Instagram star is facing criminal charges over an attempt to steal £100m from a premier league club, amongst others, using Business Email Compromise fraud email attacks.

Notify of
3 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Tim Bandos
Tim Bandos , Vice President of Cybersecurity
July 7, 2020 1:13 pm

Business Email Compromise continues to be a significant issue. Companies will traditionally roll out security awareness training to their employees about not opening suspicious email attachments or clicking on links, but how many companies train their staff to refuse or question a direct command from senior staff? The art of “whaling” aims to compromise a senior staff member’s email and then use that to instruct junior staff to make payments to bank accounts of fraudsters.

Because these highly lucrative attacks are succeeding, they will continue to attract more groups willing to attempt their methods. It’s time that businesses consider applying security to their business practices because IT security tools are not infallible against human behaviour.

As an example, train your staff to require third party validation for any financial transaction or introduce payment procedures requiring multiple sets of independent eyes. Malicious individuals are abusing the fact that junior staff implicitly trust their seniors and act quickly as instructed. You must put in place processes and beliefs that when unordinary requests come through they should be questioned.

Last edited 3 years ago by Tim Bandos
Ed Macnair
Ed Macnair , CEO
July 7, 2020 1:11 pm

The case of an unnamed premier league club losing £100 million from a Business Email Compromise (BEC) scam shows that even the most common form of attacks pose an enormous risk to unsuspecting organisations. BEC is so effective because it exploits a human impulse – as the emails often look ‘real’, these scams take advantage of a very human desire to please a high ranking executive – which means the victim may not be as security-vigilant as usual.

Unfortunately, because these emails are so convincing, and targeted, the traditional pattern matching technologies usually used to catch spam are also useless against this technique. In order to be able to spot them, organisations need to combine content analysis, threat intelligence and executive name checking to efficiently protect themselves. Combining the right technology with best-practice policies for employees will give organisations the right tools to keep their eye on the ball and mitigate these types of scams.

Last edited 3 years ago by Ed Macnair
Chris Ross
Chris Ross , SVP
July 6, 2020 9:59 am

This incident is another reminder that cyber threats such as Business Email Compromise (BEC) schemes remain active and prevalent, posing a huge risk to unsuspecting organisations. In many cases, the hacker creates a fraudulent, but realistic-looking, email request for payment of an invoice or transfer of funds. The perpetrator will often use the company logo, email signature, and fake purchase order number in their correspondence to increase the likelihood of being believed. The victim, assuming they are just doing their job, makes the transfer in response to the request, often repeating the process over time, leading to the company losing tens of thousands, if not millions of pounds.

This type of spear-phishing attack has been trending, with Barracuda Sentinel detecting 467,825 spear-phishing email attacks between March 1 and March 23, a 667% increase. Tackling this issue requires companies to invest in the very latest email protection systems and also ensure that every employee is acutely aware of these scams and how they operate.

Last edited 3 years ago by Chris Ross

Recent Posts

Would love your thoughts, please comment.x