Like pretty much everything in cyber, employee-targeted scams are growing at a huge rate - and Business Email Compromise (BEC) is no exception. Here’s what you need to know about this incredibly lucrative scam.
We hate to say it, but there’s a seemingly endless list of cyber scams out there that are still outsmarting you, your employees, your third-party vendors, and pretty much every organisation you come into contact with.
But instead of spinning your head with “88 cyber threats targeting your business”, we’d rather talk to you about one of the most prevalent and most lucrative scams out there - Business Email Compromise (BEC).
What is Business Email Compromise (BEC)
A BEC scam is part of the phishing family tree that targets the easier gateway of your organisation - your staff. Otherwise known as a Man-in-the-Email attack, BEC attackers utilise social engineering techniques in order to dupe unsuspecting employees and senior execs.
Often, a Business Email Compromise scam involves the attacker impersonating a CEO or senior executive (or just about anyone that is authorised to conduct wire transfers), with a wealth of prior research at their disposal to easier trick their victim.
Impersonation is made easy, as the email accounts of high-level employees (usually who are involved with the finance team) are spoofed via publicly-available data breach records, or are stolen through phishing attacks or planted keyloggers.
"54% of all display name deception attacks now involve fraudsters sending emails purporting to come from a well known business brand."
How to spot a business email compromise attack
Now its all well and good understanding the risks of business email compromise but knowing what this type of attack looks like and how to spot one is crucial. Here are a few tips for spotting a BEC attack. The image below is one of the most common types of a BEC attempt.
Tips for spotting a business email compromise:
Requesting for a financial or data transaction
The email is from a CEO or executive
The message usually requests an action to be done urgently
Do you recognise the sender domain, is it spelled correctly?
The top types of BEC scams (FBI)
Cyber criminals will often pose a the company Chief Exec or other members of the C-suite in order to email a money transfer request towards their finance team.
Using an employee’s hacked account, the attacker will request invoice payments to vendors listed in their email contacts. As you’ve probably guessed, this money will be unknowingly sent into a fraudulent bank account.
Bogus Invoice Scheme
An attack that is often targeted at companies with foreign suppliers, a cyber criminal will impersonate a supplier in order to request fund transfers to an account owned by the fraudsters.
Rather than looking directly for a transfer of money, attackers will often target employees in HR or Accounting in this scam. The aim here is to obtain personally identifiable information (PII) of employees and execs -- which can then be used as ammunition in future scams.
How dangerous is BEC to your organisation?
The fact that Business Email Compromise scams are projected to earn over $9 billion globally in 2018 is a good indicator that this type of attack is pretty damn frightening. Even so, let’s dig into the figures and facts a little deeper:
As a result of BEC, Identified exposed losses have increased by 2,370% since January 2015
BEC scams have been reported in over 130 countries
$5.3B recorded global losses in 2016 - set to increase to $9B in 2018
Attackers are now using cheaper alternatives to keyloggers, turning instead to phishing PDFs and fake sites.
What can your business do about BEC?
BEC can be deflected if employee security awareness training is in place, as it is reliant on social engineering. Here are a few simple ways you can get that started:
#1 Enable 2FA for your employees
Yes, it requires an extra step, but convenience should never be prioritised over security, even if it means the wrath of employees now and then. Implementing 2FA as a security policy in your business will make it much harder for a criminal to gain access to employee’s email accounts, and therefore, much harder to launch a BEC attack. Surely it’s a no-brainer?
#2 Teach employees how to spot phishing
Employees are the ultimate target in BEC attacks, so educating them on how to spot the warning signs is incredibly important if you’re to avoid contributing to the $9B chest. Feel free to try out our security awareness training platform that raises employee knowledge on attacks such as BEC. We’re not gonna sit here and say it’s the best, but it definitely is...
#3 Rethink how your employees
send money and share data
With GDPR now in full swing, you’re no doubt sick to death of drawing up new data handling plans for your organisation. But just in case you’ve not quite been pushed over the edge yet, let us reinforce it -- your users need to be educated on how to handle and share money and data. BEC scams rely heavily on employee urgency and poor awareness, so make this another key factor of your awareness programme. We can also help out with that -- visit our GDPR employee awareness training page to find out more.