Real estate millionaire and Shark Tank shark, Barbara Corcoran, has admitted to falling foul of a business email compromise (BEC) scam and losing $388,000. The fraud began when her bookkeeper received an email from a source that she believed was legitimate – Barbara’s personal assistant. The email requested her to pay the money by wire transfer to a German company called FFH Concept. When the bookkeeper then questioned the payment, the scammer replied with a plausible explanation, and the money was sent.
In fact, the email the bookkeeper received was spoofed by the attacker. It had been made to look like it had come from the assistant. On closer inspection, there was an ‘o’ missing from the source address. The mistake was only discovered when a later email, with a few more questions concerning the transaction, was sent to the correct address. By that time, the money had gone and, so far, investigations have only managed to identify the attacker’s IP as originating in China. After seeing the messages between the criminal and her bookkeeper, Corcoran admitted that she, too, would have been taken in.1 She later released a tweet, warning, ‘Lesson learned: Be careful when you wire money!’2
The Ominous BEC Scam
The BEC is a widespread form of phishing that exploits human complacency and inattention to detail. We’ve covered this attack vector here. It is a targeted attack in that the hacker picks out a potential victim- such as someone who works for the finance or HR department of a company. After a bit of research, they then send them an email, impersonating someone higher up the chain in the organization using, in many cases, a spoofed email like the one sent to Corcoran’s bookkeeper. This mail will either request a funds transfer to a particular account or may even include a malicious attachment, perhaps in the form of an invoice or a job application. The latter may contain a macro that downloads and activates malware such as trojans or ransomware. Either way, if the recipient complies with the request, without double-checking the source, the company could potentially lose a great deal of money. In 2019, the FBI estimated that almost 50% of cybercrime financial losses were caused by BEC scams.3
One thing to note regarding this incident with Barbara Corcoran is that the email was a spoofed email where the “o” was missing. In many instances, however, the attacker’s email might even originate from the correct email address. This underlines how important it is to have proper cybersecurity awareness training in place that governs how employees should treat certain activity. In this scenario, trained personnel would have at the very minimum verified by making a quick phone call.
There are, however, ways to mitigate these attacks, and these are things that all companies should be implementing right now.
- Educate staff or anyone who handles finances or sensitive information, to spot phishing emails. They should check the email address for anything out of place, and whether the grammar and spelling are correct. This should be done before automatically complying, or opening any attachments. Also, conduct internal phishing tests to see whether any further training is required. This also helps with shifting behavior. It is not meant to shame any employee but rather demonstrate the importance of cybersecurity hygiene.
- Always double-check with the sender of the email that they sent it, especially if a large amount needs transferring. But do not reply using the same email address. Instead, use the phone or text to confirm the request.
- Use external email monitoring, which can inform the employee whether the mail is from an external or internal source.
- Either block any attachments being downloaded to the network or disable the macro function in Windows software.
- If an email is suspected to be from an attacker, immediately inform the CISO, if there is one, or else the information security department. If the false request has already been complied with, make sure that the company’s bank is notified immediately so that a stop can be put on the money.
- If any funds transfer exceeds a specific, agreed amount, have a second person who must approve the transaction.
- Use cybersecurity software to monitor and analyze incoming and outgoing web traffic – or hire a third-party security service provider to supply network protection.
- Use a Sender Policy Framework Tool (“SFP”). An SPF is able to detect and block any email that is not on an authorized list of hosts approved by the domain’s administrators.
- Make sure that there are firewalls in place both between an external source and the network, use segmentation to protect core data, and back up to a secure location.
While the attack on Corcoran made the news because of her celebrity status, many others are never heard about. Phishing and BEC attacks are, sadly, all too common and cause untold misery where billions of dollars are unfortunately lost. However, the fact that this case has become so public may hopefully mean that more people will become aware of such scams and learn to avoid them. For an SMBs (small to medium size business), one cybersecurity incident and this can put you out of business. Stay secure and educate!
- Kelly McCarthy, ‘”Shark Tank” Millionaire Barbara Corcoran Said She Lost Nearly $400,000 to a Phishing Email,’ Good Morning America, 02/27/2020, accessed at https://www.goodmorningamerica.com/culture/story/shark-tank-millionaire-barbara-corcoran-lost-400k-phishing-69252601
- Steve Morgan, ‘Robert Herjavec: Phish Takes a $400K Bite Out of Shark Barbara Corcoran’s Company,’ Cybercrime Magazine, 02/27/2020, accessed at https://cybersecurityventures.com/robert-herjavec-phish-takes-a-400k-bite-out-of-shark-barbara-corcorans-company/