Lab Exercise 3: Business Email Compromise (BEC) Case Study

Objective

To understand the tactics used in BEC scams and learn how to recognize and prevent them.

Instructions

1. Read the following case study detailing the Facebook and Google BEC scam:

Case Study: Facebook and Google: $121m BEC Scam

Between 2013 and 2015, tech giants Facebook and Google fell victim to one of the largest BEC scams in history, resulting in collective losses of around $121 million. The mastermind behind this elaborate hoax was Evaldas Rimasauskas, who was sentenced to five years in prison in 2019.

Rimasauskas and his associates devised a scheme by setting up a fake company named “Quanta Computer,” mirroring the name of a legitimate hardware supplier. They then proceeded to create convincing invoices, which were presented to Facebook and Google for payment. These invoices directed the funds to bank accounts controlled by Rimasauskas.

To further authenticate the scam, the perpetrators prepared counterfeit lawyers’ letters and contracts, ensuring that their banks accepted the transfers without suspicion.

Despite the sophistication of the scheme, the Facebook and Google BEC scam serves as a stark reminder to all organizations of the potential risks posed by BEC attacks. Even the most tech-savvy companies can fall victim to such elaborate hoaxes, emphasizing the importance of robust email security measures and employee awareness training.

2. Analyze the tactics employed by the scammers, including setting up a fake company, creating convincing invoices, and preparing counterfeit legal documents.
3. Identify the red flags or warning signs that could have alerted Facebook and Google to the fraudulent activity, such as discrepancies in the company name or inconsistencies in the invoices.
4. Brainstorm and discuss potential strategies and security measures that could have prevented or mitigated the BEC scam, such as implementing verification processes for new vendors or enhancing employee training on BEC awareness.
5. Reflect on the lessons learned from the case study and identify actionable steps for improving email security practices within your organization or personal accounts, such as implementing multi-factor authentication or conducting regular security audits.