Last Updated on 7 June 2023 by admin
Table of Contents
Threat actors continue to adopt various methods of attack, but business email compromise (BEC) is one of the most financially damaging cybercrimes today according to the FBI. The international surge in business email compromise cases demonstrates its capability, making it a universal pain point for countless organizations. So, it is vital to understand the nature of BEC to better identify and mitigate this type of scam
What is business email compromise, and how does it work?
Previously known as a Man-in-the-Email attack, BEC uses email fraud to cheat organizations. With increasing reliance on email communication, social engineering attacks like BEC can easily jeopardize large businesses, making a threat across industries all over the world.
In a typical BEC attack, hackers will try to dupe victims into actions from which they can benefit, such as sending money, and gaining access to privileged information or company funds. A scammer might pose as a high-level superior, like an executive, for example, to compromise their email account and send out an email to trick unsuspecting victims (usually specific employees like financial officers) into providing them with whatever they are after e.g. bank account details or other sensitive data. This is also called email account compromise (EAC). Inevitably, BEC and EAC both fall under the phishing category.
Spoofing email addresses, an alternative that is surprisingly easy (especially with an employee’s email account).
For example, the “CEO Fraud”: [CEO name]@[Company name].com, and many people fall for these straight away. In addition, guessing login details doesn’t require much effort either as processes of doing so are often automated and many corporate emails are publicly available anyway. Understanding these factors will help you prevent future attacks.
The FBI has issued a public warning in response to the recent rise in instances of BEC attacks. All sorts of organizations are targeted in these attacks, but their common denominator is that they usually wire transfers – like charities, retail suppliers, or government organizations, for example. Recently, a food bank in Philadelphia known as Philabundance fell victim to a BEC scam very recently, losing almost one million dollars as a result. In addition, an Australian hedge fund known as Levitas Capital has collapsed after a fake zoom invitation resulted in $8.7 million fraudulent invoices to be approved by its trustee and administrator.
Cybercriminals are thriving on human error and holes in security more than ever. It is estimated that the total worldwide cost of BEC damages is around 12.5 billion dollars, and it is suspected to become an increasingly prominent threat.
Why is business email compromise such a serious problem?
Business email compromise can cause significant financial and reputational damage, which can be difficult to mitigate. Often, attackers impersonate senior executives, making the emails appear legitimate. Because many organizations lack the necessary monitoring tools to prevent such scams, it is essential to equip employees with the knowledge and awareness to identify the scam.
One of the most concerning aspects of BEC is its wide reach. BEC scams are not relegated to one industry or region. Instead, they affect businesses of all shapes and sizes. This could be a result of the fact that fraudsters don’t appear to discriminate against companies with stronger controls. It can be difficult to assess the full extent of the damage caused by BEC scams, as organizations often don’t detect the crime in a timely manner. This can be because BEC scammers may target an individual who is out of the office, resulting in the scam going unnoticed for an extended period of time.
How to protect your organization from a business email compromise scam
It is vital to have the knowledge needed to identify and respond appropriately to a potential cyber threat, Phishing attacks, and business email compromise scams, so organizations must effectively educate their employees to make them aware of dangers like data theft and more. Issues such as human error, negligence, and naivety expand gaps in your human attack surface.
Here are some tips for if you were to receive a suspicious email:
- Do background checks. Was the emailed received anticipated, or unsolicited? It is always a good idea to confirm the information provided in the sender’s message, is it accurate – is the messaging as expected? We recommended verifying whether their email address correctly matches who they are claiming to be. One of the most common attacks used by hackers is pretending to be a supplier requesting fund transfers or invoice payments. A background check will help to protect you.
- Is there a specific call to action? Usually, BEC attempts, like most phishing attempts, contain a call to action like sending X amount to Y bank account, often accompanied by a tone of urgency. This characteristic is a significant indicator of a scam. When people feel stressed or anxious, they are more likely to make mistakes and comply with the attacker’s demand(s). Cybercriminals subsequently exploit this, making it a popular tactic
- Do not open any attachments. If there are attachments within the unexpected email, they can contain malware that can damage files on your computer, steal passwords, and can even spy on you via your webcam and record whatever you type
- Check your organization’s information that is publicly accessible. Ultimately, the more you reveal online, the more information you provide a scammer with – which in turn makes it easier to predict passwords and answer security questions.
- View email as a threat vector. Train staff to identify potential scams – employees of all levels should be aware that they pose a potential security risk to their organization and so should be equipped with adequate knowledge on how to appropriately deal with a threat. See our guide to spotting a suspicious email to learn how to prevent unauthorized access to sensitive information and funds
Cybercrime is becoming increasingly lucrative, so staying on top of the latest trends is vital to prepare and protect your organization against future attacks. As business email compromise is becoming increasingly favored by cybercriminals due to its efficiency and profitability, it is crucial to be more vigilant than ever to achieve optimum security.