Security business menu
Security business
HOME
To be elected
cause
Service
Handling Manufacturer
Examples/reports/
Blog/Glossary
Seminar/
video on demand
Event/Seminar
video on demand
User case
Security Report
blog
Glossary

About reports

According to the US Internet Crime Complaint Center (IC3) under the umbrella of the US Federal Bureau of Investigation (FBI), business email fraud occurred in less than five years from October 2013 to May 2018. Compromise: BEC) reported nearly 80,000 cases, and the total damage amounted to about 12.5 billion dollars (about 1.4 trillion yen). Even in Japan, there was a report *1​ ​that a major airline company suffered about 380 million yen in damage at the end of 2017. It was reported that the European subsidiary of a manufacturing company suffered damage of approximately 4 billion yen *3. The BEC damage cases reported in Japan are just the tip of the iceberg, and we believe that the number of damage cases will be quite large if we include those with relatively small damages.

At Macnica, from 2015 to 2019, not only BEC that was delivered under the group of the parent company (Macnica · Fuji HOLDINGS, INC.), but also BEC that was delivered to business partners under the guise of Macnica group, and even BEC provided by Macnica. We have analyzed BEC incidents handled by our incident response service and clarified the techniques used by attackers. Now, with the cooperation of ITCCERT *4 (titles omitted hereafter) of ITOCHU Corp., we have been able to share the BEC analysis results that are delivered daily to ITOCHU group, which operates around the world. His identity has become more clear. ITCCERT started monitoring BEC in 2014, and in 2017 it also observed BEC written in Japanese, making it the organization with the deepest knowledge of BEC in Japan. The actual state of BEC observed at ITOCHU group and Macnica group is explained in Chapter 2 with examples.

Even before a BEC email arrives, there is a thorough preparation stage by the attacker. In many cases, attackers need to know the details of a transaction in order to intercept it and commit fraud, so they use a variety of methods to attempt to compromise email accounts. By eavesdropping on e-mail exchanged by unauthorized login e-mail accounts, it is possible to interrupt e-mail exchanges at an effective timing and commit fraud. In this way, after meticulous preparations, the series of steps from delivering BEC emails, committing fraud, and having the money transferred to an account prepared by the attacker is summarized in Chapter 3 as the BEC Kill Chain.

There is no silver bullet for BEC countermeasures. In addition to measures in terms of IT systems, it is extremely important to take measures at the border based on the awareness of the accounting department. We have summarized in Chapter 4 the measures that we believe will have a certain degree of effectiveness at this time, from the perspective of the IT system and the accounting department. In addition, Chapter 5 summarizes the necessary incident response when faced with business email compromise.

Please check below.

  • 1 Executive Summary
  • 2 Actual state of business email fraud
    1. 2.1 Pretending to be the CEO of a client
    2. 2.2 Pretending to be an internal email from the CEO of the organization
    3. 2.3 Registration of Similar Domains
    4. 2.4 Abuse of free email
    5. 2.5 BEC mail written in Japanese
    6. 2.6 BEC mail that uses the hijacked mail account as it is
    7. 2.7 Forged email signatures
    8. 2.8 Contact using LinkedIn
    9. 2.9 Identity of Attacker
  • 3 A series of flow from targeting to remittance (BEC Kill Chain)
    1. 3.1 Targeting by OSINT
    2. 3.2 Unauthorized login to email account
    3. 3.3 Box Reconnaissance
    4. 3.4 Sending Fraudulent Emails
    5. 3.5 Persuasion to send money
  • 4 Countermeasure approach
    1. 4.1 Perceive BEC as a management issue
    2. 4.2 Strengthening checks in the accounting department
    3. 4.3 Notification to Business Partners
    4. 4.4 Multi-Factor Authentication
    5. 4.5 Receipt warning from free email address
    6. 4.6 Warning sent to free email addresses
    7. 4.7 Warn when from address and reply-to address are different
    8. 4.8 Detecting Reception from Unreliable TLDs
    9. 4.9 Reception detection from addresses with TLD in front of @
    10. 4.10 Find Similar Domains
    11. 4.11 DMARC
  • 5 Incident response
    1. 5.1 Contacting Banks and Law Enforcement (Recovery of Transfers)
    2. 5.2 Check if your email account has been compromised
    3. 5.3 Check for Malware Infection
    4. 5.4 Change Password
    5. 5.5 Takedown of Domains Obtained by Attackers
    6. 5.6 Negotiations and apportionment with business partners

Download the report "Business Email Compromise and Countermeasure Approaches"

Actual state of business email fraud and countermeasure approach 1st edition [Japanese version]

(8.69MB/26P)

Business Email Compromise and Countermeasures, 1st Edition [English]

(13.4MB/26P)

Recommended report published by Macnica

Click here for the 2nd edition (second half of 2018)
Click here for the 3rd edition (first half of 2019)
Click here for the 4th edition (second half of 2019 [Japanese/English])
Click here for the 5th edition (2020 version)
Click here for the 6th edition (2021 edition)
Click here for the 7th edition (2022 edition)