BEC Attacks Target Canadian Organizations: Steps To Counter Them

November 6, 2024

Nova Scotia's economic development agency is the latest victim of a cyber fraud scheme that cost more than half a million dollars following a business email compromise scheme. The incident happened in May 2024 when Invest Nova Scotia transferred roughly $573,000 to a bank account it thought was legitimate.

On May 16, Invest Novia Scotia received a request from its business partner, Sandpiper Ventures, for an installment payment relating to a routine, ongoing investment transaction. Invest Nova Scotia and Sandpiper Ventures are parties to an agreement whereby Invest NS is committed to making capital contributions when requested by Sandpiper.

On May 22, Invest NS received another email that appeared to be from the same contact person but with new banking instructions for an account at the Royal Bank of Canada. Invest NS confirmed the details from another email that appeared to be from another contact person within Sandpiper Ventures, according to the report. The following day, Invest NS sent funds intended for Sandpiper by electronic funds transfer (EFT) to the new Royal Bank of Canada (RBC) account.

Later, on June 6 Invest NS learned that the funds had been sent to the RBC account belonging to a third party, not Sandpiper Ventures. Although the funds remain with RBC, the bank advised Invest NS that it would require a court order to return the funds.

The incident happened as a result of the hacking of the email of a controller at Invest NS. Invest NS is now working with the Department of Justice Canada and has filed a court application as part of a civil process to "recoup the funds from the Royal Bank of Canada (RBC) that were transferred as a result of cyber fraud." Halifax Regional Police are also investigating the incident. "Provincial employee falls victim to $573,000 cyber fraud" www.hcamag.com (Aug. 02, 2024).

Commentary
 

This is a textbook example of a sophisticated fraud, known as a Business Email Compromise, or BEC – a type of cyberattack that involves tricking people into sending money or sensitive information to a fraudulent account.

BEC attacks are carried out by criminals who use social engineering and computer intrusion techniques to compromise legitimate business email accounts. A legitimate email account is compromised and monitored by cybercriminals.

Upcoming real estate transactions are the most common type of target for BEC attacks.  The unsuspecting parties exchange emails in preparation for the money transfer.  At the last minute, the cybercriminals send an email using the legitimate account, which they control, with different account numbers. If the bogus information is accepted by the parties, the money is sent to a fake account, never to be recovered.

In the above matter, the good news is the transferred funds remain within the control of RBC. Moreover, Invest NS did attempt to confirm the change of account described in the email. The problem arose when Invest NS tried to verify the account using the same email account, which was controlled by the cybercriminals.  The confirming email was intercepted and the cybercriminals "responded", which led to the transfer of the funds.  

If your organization receives an unexpected electronic message or an expected message with changes to previously agreed-to conditions, like a bank account, do not respond immediately. An independent verification outside of the message is necessary.

A common method of avoiding this type of fraud is the inclusion of a previously determined passphrase or code word. Remember, that codeword should not have been agreed upon by email or other online message, in case email or other accounts are compromised.

Finally, your opinion is important to us. Please complete the opinion survey: