GKSD - stock.adobe.com

Dutch organisations address business email compromise fraud

Public-private partnership in the Netherlands works to break the chains used by fraudsters to carry out BEC attacks

This article can also be found in the Premium Editorial Download: CW Europe: CW Europe: 5G rush in Russia

The FBI’s Internet Crime Complaint Center received nearly 24,000 reports of business email compromise (BEC) fraud last year, involving sums totalling more than $1.7bn worldwide. To tackle this highly damaging form of cyber crime – and other types of attack – in the Netherlands, the Dutch Public Prosecutor’s Office and the Hague Security Delta Office are working in a public-private partnership with banks, companies, governments and knowledge institutes.

The best-known case of BEC fraud – also known as CEO fraud – in the Netherlands concerned cinema chain Pathé. In 2018, criminals posed as directors at the company’s French head office and sent emails to its Dutch management requesting money to pay for a takeover abroad. The Dutch management received an urgent request not to tell anyone about the transactions in order to take the wind out of competitors’ sails.

Although Pathé’s Dutch management had their doubts about the request, they cooperated. After the first transaction, the fraudsters started asking for ever larger amounts and a total of €19.2m was taken. It was only when the Dutch management knocked on the door of their French parent company to explain there was too little money to transfer, that the CEO fraud became apparent.

The Netherlands’ public-private partnership to tackle BEC fraud aims to map out how cyber criminals work to disrupt their business model and increase the chance of identifying the cyber criminals. Lodewijk van Zwieten, prosecutor of cyber crime at the Public Prosecutor’s Office, said: “We are working with various partners to gain insight into the processes and modus operandi of cyber criminals. After all, the old-fashioned search for criminals does not always work effectively in the digital world.

“By gaining insight into the digital criminal business model, we can tackle the phenomenon. We have chosen to start with the cyber crime method that causes the most damage worldwide – BEC.”

Although the FBI has reported global losses of $1.7bn resulting from BEC, actual losses are likely to be higher. Many companies do not report such attacks, which is why no reliable figures are available for the Netherlands.

“There is only limited reporting and the figures that are available say very little,” said Van Zwieten. “But that is no reason to doubt the figures from the FBI and various security companies. We want to invest as much as possible to combat this cyber crime.”

Once the cyber criminals’ business model has been revealed, it is important to disrupt the processes effectively, said Van Zwieten. “The use of criminal law is not always effective or desirable in tackling this type of crime,” he said. “But when such a criminal has a business model with dependencies – in the ordinary world, we call that a supply chain – then an approach can focus on that supply chain.

“We see that hardened criminals hide themselves very well, which makes it difficult to catch them, but if we disrupt their business model by focusing on the facilitating organisations, we have a better chance of getting close to them.”

Read more about cyber crime

“What we are mapping out is the complete process that an average BEC criminal follows, from the moment he or she gets an idea, to the moment they put the money in their back pocket. We really put ourselves in the criminal’s shoes and try to figure out what steps they have to go through and who and what they need.

“This way, you find out that criminals also need external expertise. They can get it from an above-ground market, such as hosting, or from an underground market, such as knowledge about money laundering. We map out this value chain within the partnership.”

The group is currently developing a number of interventions to make it more difficult for cyber criminals to carry out their work. “By this, we mean interventions that make potential victims more resilient,” said Van Zwieten. “For example, we are also working with banks to see how we can trace fraudulent transactions sooner.”

Van Zwieten gave the example of a digital invoice, on which the account number is changed by a criminal. When a bank sees such a transaction, an alarm bell should go off because the account number differs from the one through which regular payments are made.

“This is how we actually try to erect all kinds of barriers for BEC criminals as quickly as possible,” he said. “Things that make the criminal’s processes not run so smoothly, so he or she stops or has to go to a lot more trouble. Criminals often don’t want the latter, because then they have to step out of the shadows, increasing the chances of being caught.”

Broader cooperation

The Netherlands’ partnership also works with others inside and outside the EU, but for the time being, these partnerships depend on individual cases. “Our ambition is to work more structurally with a group of countries against cyber crime and BEC,” said Van Zwieten. “It is valuable to share experience and knowledge about how cyber criminals operate and which interventions work effectively to disrupt business models. We have this ambition for BEC, but also for other phenomena, such as DDoS [distributed denial of service], ransomware and phishing.

“We also want to collaborate with the [Dutch employers’ organisation] VNO-NCW to determine how we can get the message to the right companies in the right way.”

Now that the Covid-19 crisis is forcing many companies’ employees to work from home, the Netherlands’ public prosecutor is expecting an increase in cyber crime. “We foresee an increase in digital attacks,” said Van Zwieten, “not only by cyber criminals, but also by young people who are obliged to sit at home, get bored and then seek their pleasure behind a keyboard.”

He pointed to the DDoS attack that recently hit Dutch meals-on-wheels organisation Thuisbezorgd. “To carry out such an attack, you don’t have to be a seasoned cyber criminal,” he said.

But the current crisis is also fertile ground for CEO fraud, Van Zwieten added. “People may not be surprised to suddenly receive an email from their boss asking them to transfer a large sum of money, otherwise the company will fall apart in this crisis.”

That is why the work of the Netherlands’ public-private partnership is so important, he said. “We want to demonstrate that this is a good way to deal with cyber crime and so make the Netherlands and Dutch companies a lot more unattractive to cyber criminals.”

Read more on Antivirus, firewall and IDS products

Data Center
Data Management