Business Email Compromise (BEC) attacks are a growing threat to businesses both large and small because they prey on the vulnerabilities that technology can’t patch – people. While people may be your strongest asset, when it comes to cybersecurity, they can also be your weakest link.
What is Business Email Compromise?
BEC, also known as Imposter Email or CEO fraud, is an evolving threat designed to make victims believe they are transferring money or data to an external supplier, business executive, attorney or broker when they are in fact being swindled by cyber-criminals, who will often even follow up with an impersonator’s phone call to ensure transactions are seen through.
Unlike other cyber attacks, BEC emails don’t contain malware or malicious URL’s. Instead, they take advantage of social engineering, targeting people who have access to sensitive information such as the CFO, human resources, finance or administrative assistants.
BEC attackers study all aspects of organizations by becoming a frequent website visitor and reviewing employee’s social media sites to gain a full understanding of the organizational structure and interests.
Why is Business Email Compromise so successful?
For cybercriminals, BEC attacks offer low-risk, high return opportunity. They don’t require costly infrastructure and because attacks often cross international borders, few scammers are prosecuted. In April 2019, the FBI reported that business losses to BEC attacks had doubled in 2018 and cybercriminals made $1.3 billion from US companies alone. The BFI reported global losses hit $12.5 billion.
BEC attackers succeed because they create emails that look deceptively like a legitimate message while asking for tasks the victim would typically perform. Using a technique called “spoofing”, the attacks trick people into thinking they’ve received an email from a boss, co-worker, partner or vendor requesting a wire transfer, tax records or other sensitive data.
In addition to imitating the look of a legitimate email, the BEC criminals use proven psychological tricks to pay on the eagerness of worker to please leaders while creating a false sense of security. The BEC success counts on their targets not taking the time to verify the requestor email.
The Forms of Business Email Compromise
According to the FBI’s Internet Crime Complaint Center (IC3), there are five main scenarios by which BEC is executed.
- Bogus Invoice Scheme: When a business, which has a long-standing relationship with a supplier, is requested to wire funds for invoice payment to an alternate, fraudulent account.
- CEO fraud: When the compromised email account of a high-level executive is used to request a wire transfer to a fraudulent account.
- Account compromise: When an employee of a company has their email account compromised and it’s then used to request an invoice payment by a customer to a fraudulent account.
- Attorney impersonation: When victims are contacted by fraudsters identifying themselves as lawyers and are pressured into transferring funds to a fraudulent account.
- Data theft: When fraudulent emails are used to request either wage or tax statement (W-2) forms or a company list of personally identifiable information (PII).
Protect against BEC fraud
Having a written policy in place, and training your employees with respect to the policy, can help protect you against these scams. Here are a few other things to think about to protect yourself and your business from BEC attacks:
- Educate: Educate employees on how to spot these types of scams by making them aware that employee email addresses can be spoofed.
- Authenticate: The Canadian Anti-Fraud Centre recommends businesses consider a two-step verification process for wire transfer payments so that your business requires two forms of communication to confirm a wire-transfer request is legitimate.
- Think before posting: Take precautions when posting information online or on social media sites about where and when senior staff, including the CEO or CFO, are on vacation or away from the office.
- Guard all data: Ensure all software, including anti-virus software, is up to date on all computers and servers in your office(s).
Recovering from a BEC attack?
If a wire-transfer attack was successful, here are some suggestions of what to do next:
- Contact your bank and enquire about where the transfer was sent.
- Report the attack to your local law enforcement agency.
- Notify your insurers, shareholders and any other agencies that sensitive information may have been compromised.
- Review your threat landscape and assess why the attack was successful.
- Perform a threat assessment to discover any hidden risks and evaluate your readiness to respond to future threats.
- Revisit your awareness training efforts and investigate solutions which truly change behaviour.
Becoming More Effective Every Day
BEC attacks are constantly evolving with the business and individual user environment. It’s not enough to keep up with the latest malicious tactics. You need to stay one step ahead.
Prevention and detection are imperative. Now is the time for businesses to educate themselves about BEC, train their employees, and create an environment that encourages compliance. Together with hardened networks and optimized controls, these measures provide organizations with the advantage they need to keep BEC at bay.
To learn more about how Cytelligence can protect your organization from BEC attacks, please click here.