Three large organizations in the British and Israeli financial sectors were targeted by the Florentine Banker group.
This is how the Florentine Banker threat group carried out their Business Email Compromise (BEC) scam:
- The Florentine Banker threat group had set up a phishing campaign, targeting the CEO, CFO, and other individuals that had the authorization for the transfer of money on behalf of the organization.
- The attackers gained access to a victim’s account and studied the emails stored therein, to understand the process of money transfers in those organizations.
- Through four separate bank transactions, the attackers attempted to transfer £1.1 million to unrecognized bank accounts. Only £570,000 of the stolen amount could be recovered, leaving around £600,000 in permanent losses for the organizations.
Other recent incidents
In the recent few months, there have been several other attempts of BEC frauds with various organizations across the world.
- In March 2020, the APT group TA505 was seen targeting businesses in Germany via their human resources executives. For this attack, a business email compromise-style phishing email was used, that was laced with trojanized curriculum vitae files.
- In February 2020, the Canterbury Olympic Ice Rink (COIR) in south-west Sydney, was duped into making a payment of $77,216.58 to a fraudulent bank account via a BEC scam. The fraudsters posed as the UK-based company, Marshall’s International, asking for payments for a new ice resurfacer machine recently purchased by the company.
Prevention of BEC Scams
Here are the general guidelines for prevention of BEC attacks.
- Use a reliable email security solution, which can scan for the common patterns used in BEC scam emails (like the use of words “payment”, “urgent”, “request”), and detection of patterns such as an email from a local domain to a local domain but with a non-local reply.
- Implement a solution to detect advanced and evasive keyloggers and other malware used by BEC scammers. In addition to email inboxes, use it to evaluate threats on all hosts, and in the network traffic.