Business Email Compromise (BEC), one of the costliest cyberattacks ever known, cost over one billion dollars in losses in 2021 alone. Discover the best info about BEC scam.
These attacks target employees who rely on email for payments, transfers, and sensitive information exchange. Even companies with solid security can fall victim to such attacks.
Table of Contents
Fraudulent Emails
Like phishing attacks, BEC attackers tend to target specific departments within an organization and capitalize on employees being too preoccupied to think critically before acting without thinking. Therefore, all employees should read emails critically and ask any necessary questions before acting without thinking. It’s also critical that verification procedures other than email are in place – this might mean talking directly with the sender via phone or text or having two people approve any transitions or payments (wire transfers and ACH).
Fraudsters typically pose as someone the victim should trust- a colleague, boss, vendor, or even the CEO- to persuade and pressure them into providing funds or changing payment information quickly and without question. They use research techniques such as using domains similar to their company to appear legitimate when making these requests for action or changing payment information.
Cybercriminals will create fake login pages that look similar to your company system. They will use this opportunity to gain entry to your account – with password access – and begin draining funds from it. To reduce these threats, we advise limiting email services such as Gmail or Yahoo and opting for company accounts hosted on your domain. Furthermore, dual control banking must be implemented when handling wire or ACH transactions, so the approver must check with both parties involved before proceeding.
Save the Children was defrauded over $1 Million through a Business Ethic Compromise scam by Jacek Rimasauskas and others in 2018. Rimasauskas used fake invoices and documentation to trick employees at Google and Facebook into sending their donations directly into Rimasauskas’ bank accounts rather than to Save the Children accounts located overseas, where recovery may prove nearly impossible by law enforcement authorities.
Though most BEC attacks are financially driven, fraudsters may also seek other motives behind them. This may include data theft; for example, hackers gain access to HR personnel email accounts to obtain confidential information from colleagues and business partners, or they could try and gain entry to employee bank accounts and steal money directly.
Fraudulent Requests
As attacks progress, criminals impersonate individuals and request funds or sensitive data. This typically includes requests to transfer money directly into another account, divert payments from one source to another, change banking details for future transactions, or provide data. Cybercriminals typically target trusted members of your organization – such as employees in accounts payable departments and treasury teams (the FBI reported that attacks targeting these departments accounted for 61% of BEC cases in 2020); attackers frequently target HR or finance teams as targets to steal confidential or sensitive data that can further harm them against your company.
Since BEC scams involve social engineering, your cybersecurity systems will likely fail to detect them. Furthermore, criminal emails often resemble corporate communications making it harder for employees to recognize them as potentially fraudulent.
Protecting your business against business email compromise (BEC) starts with maintaining an open mind and setting clear policies with multiple levels of approval required for significant financial transactions. Furthermore, procedures should be set up to authenticate new banking information shared by vendors; any minute detail, such as an underscore instead of the dash or extra letters in names, could make it hard for employees to identify fraudulent emails from legitimate ones.
Puerto Rico’s employment retirement system was one of the many targets, where fake senior executives convinced an employee to transfer $2.6 million into fraudulent accounts after sending him an urgent message asking for critical support on an “important and time-sensitive matter.” While eventually frozen by the FBI, much of this money had gone elsewhere before reaching its intended account.
Business-centered defense against BEC includes:
- Regular and comprehensive cybersecurity training.
- Stringent policies require the approval of significant financial transactions.
- Tools that detect falsified emails and domains.
Furthermore, your employees must learn which messages may constitute BEC attacks as soon as suspicious communications emerge – the quicker a business reports an attack to authorities, the higher its chances of successfully stopping criminals while protecting other companies from becoming victims themselves.
Fraudulent Vendors
As part of their attempts to make wire transfers appear more legitimate, cybercriminals sometimes employ vendor impersonation attacks – commonly known as vendor impersonation attacks and particularly hazardous when coupled with other cyberattacks like phishing. This tactic can have serious repercussions.
Attackers often exploit publicly available information such as company names, job titles, and locations to spoof an employee’s email address and then send a message purporting to come from that employee to vendors requesting funds or sensitive data to be transferred directly into their accounts. Such attacks can happen worldwide and lead to devastating financial losses for businesses of any size.
One effective way of avoiding business email compromise (BEC) is for employees to remain vigilant and exercise an abundance of skepticism. They should be taught to identify red flags such as last-minute changes and unexplained urgency when communicating with vendors; secondary channels and two-factor authentication should also be utilized when sharing account details with vendors; they should never respond to unsolicited emails requesting financial or personal data, nor accept messages proposing changes to direct deposit or billing instructions.
Cybercriminals target any department, but accounts payable and treasury were most at risk in 2020. These departments typically handle payments, meaning fewer processes and tools exist to recognize and protect against these attacks. They may be especially susceptible if dealing with overseas suppliers or using outsourced payroll and accounting services.
BEC attacks can have severe repercussions for organizations ranging from public companies to non-profits. Furthermore, they can wreak reputation havoc by diverting funds or information away from clients that could otherwise create financial, operational, and compliance problems for your company.
BEC scammers don’t limit themselves to email; they also utilize phone calls and visits, malicious software implants on company systems to access sensitive information, or even encrypt confidential material.
Fraudulent Payments
Fraudulent payments are the hallmark of BEC scams and can cause enormous financial damage to businesses of all sizes. Criminals use fake email addresses to impersonate vendors they don’t recognize and send what appear to be legitimate invoices with payment instructions for goods or services not ordered, accompanied by fraudulent wire transfer instructions that lead to accounts controlled by fraudsters.
BEC attacks often target organizations that deal with foreign suppliers or conduct wire transfer payments regularly. Before initiating an attack, fraudsters collect corporate data by accessing public sources like social media and purchasing credentials on the dark web to identify targets. They then monitor a company’s transactional behavior, business terminology, as well as any individuals responsible for initiating fund transfers most frequently.
Once a target is identified, attackers will wait for an opportunity to request money. Vendors, employees, or even CEOs request immediate payment via diverting payroll payments, changing bank account information for future payments, or emergency wire transfer requests – although cybersecurity systems may miss these messages as maliciously as they look legitimate and not suspicious at first glance.
Attacks targeting smaller companies with limited resources and few employees can be devastating. The Town of Peterborough in New Hampshire was recently victimized when hackers took control of an employee email account and persuaded her to transfer over $2.3 million to fraudulent charges – intended for paying contractors working on repairs for its aging bridge and school building repairs – instead going offshore where law enforcement had no way of tracking it down.
BEC scams can be devastatingly destructive and highlight the need for strong policies and training programs. Like any cyberattack, the best defense against BEC fraud lies in having a comprehensive prevention strategy that covers email and other communication methods like text messaging or chat apps and programs – and is enforced with all employees regardless of seniority or job function.
Read Also: How Much Is Financial Samurai Worth?
