What is Business Email Compromise (BEC)?
Business email compromise (BEC) is a form of cybercrime wherein perpetrators exploit email to deceive individuals into transferring funds or revealing sensitive corporate data. By impersonating trusted contacts, scammers manipulate victims into paying false invoices or disclosing information for further exploitation. The prevalence of BEC scams is escalating, particularly with the surge in remote work—last year, the FBI received nearly 20,000 complaints related to BEC incidents.
What is the Main Goal of BEC?
The primary objective of a BEC attack is to acquire funds, obtain system access, or compromise confidential data through the recipient’s misconception of receiving a genuine email from an authoritative figure. These attacks hinge on the assumption that high-ranking personnel regularly employ email for authorization, thus minimizing suspicion towards the fraudulent message.
Types of Business Email Compromise Scams
Data theft
At times, scammers initiate their strategy by targeting the HR department to pilfer company information, such as an individual’s schedule or personal phone number. This initial step makes it easier to execute other BEC scams, increasing their credibility.
CEO fraud
Scammers either spoof or hack into a CEO’s email account, then send instructions to employees to make purchases or wire money. They might even request employees to buy gift cards and send photos of the serial numbers.
False invoice scheme
Posing as a legitimate vendor your company works with, scammers send fake bills via email, often resembling real ones closely. The account number might differ by just one digit, or they may ask for payment to a different bank, citing a bank audit.
Account compromise
Using phishing or malware, scammers gain access to a finance employee’s email account, like that of an accounts receivable manager. They then send fake invoices to the company’s suppliers, asking for payment to a fraudulent bank account.
Lawyer impersonation
In this scam, attackers illicitly access an email account at a law firm. They then send clients invoices or links for online payment. While the email address appears genuine, the bank account provided is not.
How do BEC scams work?
Here’s the sequence of events in a BEC scam:
- Scammers conduct research on their targets and devise methods to impersonate them. This might involve creating counterfeit websites or registering companies with identical names to yours in other jurisdictions.
- Upon gaining access, scammers surveil emails to identify individuals involved in financial transactions. They analyze communication patterns and scrutinize invoices.
- The scammer endeavors to earn the target’s confidence before requesting funds, gift cards, or sensitive information.
- In email exchanges, the scammer assumes the identity of one of the parties by spoofing the email domain.
Targets of Business Email Compromise
A BEC scam can target anyone, including businesses, governmental entities, nonprofits, and educational institutions, with a focus on individuals in the following roles:
- Executives and leaders, whose information is typically accessible on the company’s website, making it easier for attackers to feign familiarity.
- Finance personnel such as controllers and accounts payable staff, who possess crucial financial data including banking details, payment procedures, and account numbers.
- HR managers, who maintain employee records containing sensitive information like social security numbers, tax documents, contact details, and schedules.
- New or junior employees, who may lack the experience to discern the legitimacy of an email sender.
The Dangers of BEC
In the event of a successful business email compromise attack, your organization may encounter the following consequences:
- Experience financial losses ranging from hundreds of thousands to millions of dollars.
- Be susceptible to extensive identity theft repercussions if personally identifiable information is compromised.
- Inadvertently disclose confidential data, including intellectual property.
BEC Threat Examples
Facebook and Google
Among the largest BEC scams recorded, this scheme led to approximately $121 million in losses spanning a two-year period. The perpetrator and accomplices established a counterfeit company mirroring the name of a legitimate supplier. They subsequently submitted invoices to Google and Facebook, which were paid based on fabricated contracts and documents provided by the fraudulent entity.
Toyota
In 2019, a Toyota subsidiary fell victim to a BEC attack, resulting in a $37 million loss for the parts supplier. Hackers succeeded in persuading an employee to initiate the money transfer well before the attack was detected.
One Treasure Island
The nonprofit organization One Treasure Island, headquartered in San Francisco, suffered losses exceeding $600,000 due to a BEC attack. Hackers compromised the email account of a third-party bookkeeper and manipulated an invoice, leading to a loan intended for a partner organization being redirected to the criminals’ bank account.
Government of Puerto Rico
In 2020, a high-ranking government official was deceived into transferring $2.5 million to a fraudulent bank account. This occurred after the official received an email from another government employee—whose email account had been compromised and exploited by hackers—alleging a change in banking details for remittance payments. Subsequently, the funds were transferred to the “new” bank account.
How to Prevent BEC Threat Attacks?
Implement a secure email solution
Utilize email platforms like Office 365, which automatically identify and remove suspicious emails or notify you of unverified senders. Additionally, you can proactively block certain senders and flag emails as spam. Enhance protection with Defender for Office 365, offering advanced phishing defense and detection of suspicious forwarding activities.
Enable multifactor authentication (MFA)
Enhance the security of your email accounts by implementing multifactor authentication, requiring additional verification such as a code, PIN, or fingerprint along with the password during login.
Educate employees on identifying warning signs
Ensure all staff members are trained to recognize indicators of phishing attempts, such as suspicious links, inconsistencies between domains and email addresses, and other suspicious activities. Conduct simulated BEC scam exercises to enhance awareness and preparedness.
Establish security defaults
Administrators can enhance security protocols across the organization by enforcing the use of MFA for all users, implementing authentication challenges for new or risky access attempts, and mandating password resets in case of information leakage.
Utilize email authentication mechanisms
Strengthen email security against spoofing attacks by implementing Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) protocols to authenticate senders.
Adopt a secure payment platform
Consider transitioning from traditional emailed invoices to a specialized payment system designed to authenticate transactions securely.
FAQ’s
What is Business Email Compromise (BEC)?
Business Email Compromise (BEC) is a type of cybercrime where perpetrators use email to deceive individuals into transferring funds or disclosing sensitive corporate data. They often impersonate trusted contacts to manipulate victims into paying false invoices or divulging information for further exploitation.
How do BEC scams work?
BEC scams typically involve scammers researching their targets, impersonating trusted contacts, monitoring emails, and then requesting funds, gift cards, or sensitive information. They often exploit vulnerabilities in email systems and employee trust to carry out their schemes.
Who are the targets of BEC scams?
BEC scams can target anyone, including executives, finance personnel, HR managers, and even new or junior employees. Attackers focus on individuals with access to financial data, sensitive information, or those who may be less experienced in identifying fraudulent emails.
What are the dangers of BEC attacks?
The consequences of successful BEC attacks can include significant financial losses, identity theft, and inadvertent disclosure of confidential data. These scams can have far-reaching implications for organizations, leading to reputational damage and legal repercussions.
How can organizations prevent BEC threats?
Organizations can take several steps to mitigate BEC threats, including implementing secure email solutions, enabling multifactor authentication, educating employees on identifying warning signs, establishing security defaults, utilizing email authentication mechanisms, and adopting secure payment platforms.
What are some examples of notable BEC scams?
Notable examples of BEC scams include incidents targeting companies like Facebook, Google, Toyota, nonprofit organizations like One Treasure Island, and government entities such as the Government of Puerto Rico. These cases highlight the wide-ranging impact and severity of BEC attacks across various sectors.
Conclusion
Business Email Compromise (BEC) poses a significant threat, especially with the rise of remote work. To defend against BEC attacks, organizations must implement secure email solutions, enable multifactor authentication, and educate employees on identifying warning signs. Leveraging email authentication mechanisms and adopting secure payment platforms are additional measures to mitigate risk. Proactive efforts are crucial in safeguarding assets and maintaining operational integrity in today’s digital landscape.
Comments are closed.