IBM Uncovers Business Email Scam Targeting Fortune 500 Firms

IBM is warning Fortune 500 companies of a widespread business email compromise (BEC) scam.

The technology company’s X-Force Incident Response and Intelligence Services published a blog post last week highlighting the scam, which IBM said likely originated in Nigeria. The ring involves “credential harvesting, phishing and social engineering,” with cybercriminals targeting corporates’ financial assets, the unit said.

According to the post, X-Force first identified a spike in wire transfer payment fraud in the autumn of 2017, with clients reporting they had been targeted by the BEC scam in their accounts payable (AP) departments. Victims included some Fortune 500 firms, IBM noted, and the scams led to millions of dollars stolen from businesses.

Further investigation found scammers used stolen email credentials and social engineering tactics to send seemingly legitimate emails to AP professionals.

“These attacks are almost entirely based on phishing and social engineering and are thus attractive to cybercriminals due to their relative simplicity,” the company said in its post. “In most cases, BEC scams involve little to no technical knowledge, malware or special tools.”

Emails were sent from employee addresses, or addresses were faked to look like legitimate personnel. Social engineering strategies mean attackers mimicked a conversational tone and followed up with previous conversational topics in their messages while requesting the victim update their bank information for a well-known supplier or business partner, X-Force said.

Further, attackers filtered out emails, monitored inboxes and, in some cases, filled out paperwork, all while bypassing spam filters and traditional cybersecurity tools, the company added.

The business email compromise has been the subject of several warnings from the U.S. Federal Bureau of Investigation in recent years. Earlier this month, the FBI’s Deputy Assistant Director at its Cyber Division, Howard S. Marshall, spoke to the House of Representatives to highlight the need for greater cybersecurity, especially for small businesses, which are also common targets of the BEC scam.