Hackers continue to adopt various methods of attack, but business email compromise (BEC) is one of the most financially damaging cyber crimes today according to the FBI. The international surge in BEC cases demonstrates its capability, making it a universal pain-point for countless organizations. So, it is vital to understand the nature of BEC to better identify and mitigate this type of scam.
What is business email compromise, and how does it work?
Previously known as a Man-in-the-Email attack, BEC uses email fraud to ‘cheat’ organizations. With increasing reliance on email communication, social engineering attacks like BEC can easily jeopardize large businesses, making it a threat across industries all over the world.
In a typical BEC scenario, hackers will try to dupe victims into actions from which they can benefit, such as gaining access to privileged information or company funds. A scammer might pose as a high-level superior, like an executive for example, to compromise their email account and send out an email to trick unsuspecting victims (usually specific employees like financial officers) into providing them with whatever it is they are after. This is also called email account compromise (EAC). Inevitably, BEC and EAC both fall under the phishing category.
Spoofing email addresses an alternative that is surprisingly easy, for example: [CEO name]@[Company name].com, and many people fall for these straight away. In addition, guessing login details doesn’t require much effort either as processes of doing so are often automated and many corporate emails are publicly available anyway.
The FBI has issued a public warning in response to the recent rise in instances of BEC. All sorts of organizations are targeted in these attacks, but their common denominator is that they usually wire transfers - like charities, retail suppliers, or government organizations, for example. Recently, a food bank in Philadelphia known as Philabundance fell victim to a BEC scam very recently, losing almost one million dollars as a result. In addition, an Australian hedge fund known as Levitas Capital has collapsed after a fake zoom invitation resulted in $8.7 million fraudulent invoices to be approved by its trustee and administrator.
Cyber criminals are thriving on human error and holes in security more than ever. It is estimated that the total worldwide cost of BEC damages is around 12.5 billion dollars, and it is suspected to become an increasingly prominent threat.
How to protect your organization from a business email compromise scam
It is vital to have the knowledge needed to identify and respond appropriately to a potential cyber threat, so organizations must effectively educate their employees to make them aware of such dangers. Issues such as human error, negligence, and naivety expand gaps in your human attack surface.
Here are some tips for if you were to receive a suspicious email:
- Do background checks. Was the emailed received anticipated, or unsolicited? It is always a good idea to confirm the information provided in the sender’s message, is it accurate - is the messaging as expected? We recommended verifying whether their email address correctly matches who they are claiming to be
- Is there a specific call to action? Usually, BEC attempts, like most phishing attempts, contain a call to action often accompanied by a tone of urgency. This characteristic is a significant indicator of a scam. When people feel stressed or anxious, they are more likely to make mistakes and comply with the attacker’s demand(s). Cyber criminals subsequently exploit this, making it a popular tactic
- Do not open any attachments. If there are attachments within the unexpected email, they can contain malware that can damage files on your computer, steal passwords, and can even spy on you via your webcam and record whatever you type
- Check your organization’s information that is publicly accessible. Ultimately, the more you reveal online, the more information you provide a scammer with - which in turn makes it easier to predict passwords and answer security questions
- View email as a threat vector. Train staff to identify potential scams - employees of all levels should be aware that they pose a potential security risk to their organization and so should be equipped with adequate knowledge on how to appropriately deal with a threat. See our guide to spotting a suspicious email to learn how to prevent unauthorized access to sensitive information and funds
Cyber crime is becoming increasingly lucrative, so staying on top of the latest trends is vital to prepare and protect your organization against future attacks. As BEC is becoming increasingly favored by cyber criminals due to its efficiency and profitability, it is crucial to be more vigilant than ever to achieve optimum security.
To stay up to date on the latest cyber security trends, sign up for our monthly newsletter.