Business Email Compromise (BEC) attacks — sophisticated email scams designed to con companies out of money and sensitive data — are on the rise. Researchers at both Agari and IBM have seen notable increases in the number of BEC attacks. This is not too surprising given that cybercriminals like to use this type of attack because it is very effective and requires minimal technical knowledge. They have used BEC scams to steal more than $5 billion (USD) from businesses worldwide, according to the US Federal Bureau of Investigation (FBI).
Although carrying out a BEC attack does not require much technical know-how, it does require a lot of time and research. Digital con artists use phishing emails, social engineering techniques (e.g., scouring social media websites), and other tools to get the detailed information they need to scam a targeted business. Once they have it, they create the BEC email. The cybercriminals strive to get both the wording and graphical elements to look like a legitimate email from that business (or from an organization it does business with, such as a supplier). They spend a good deal of time creating the BEC email in the hope that its legitimacy will not be questioned.
Each BEC scam is specific to the business being attacked. However, when the FBI analyzed complaints from companies that reported falling victim to BEC attacks, it found several common variations of the scam. The digital con artists often:
- Masquerade as business executives, requesting wire transfers or employees’ personal information
- Pose as suppliers, requesting invoice payments
- Pretend to be accounting staff, requesting invoice payments from vendors
- Impersonate lawyers or law firm staff, requesting a fund transfer
Similarly, when the IBM researchers analyzed real-life BEC scams, they found several common tactics being used. They discovered that cybercriminals often:
- Hack or spoof email accounts so that the phishing and BEC emails appeared to be from known contacts
- Monitor the inboxes of compromised email accounts
- Mimic previous email conversations or insert themselves into current email conversations between employees
- Masquerade as known business contacts, requesting that wire payments be sent to a supposedly updated bank account number
- Create email filters so that communications occur only between themselves and the victims
- Fill out the appropriate forms and spoof supervisor emails to complete the necessary paperwork and get any required approvals
How to Avoid Becoming the Next Victim
Law enforcement has been cracking down on BEC scams. For example, two cybercriminals involved in more than 20 cases of BEC fraud were arrested in February 2018. However, many more digital con artists are out there. Thus, you should be proactive and take steps to avoid becoming a BEC victim:
- Let your employees know about the common BEC scam variations. Being aware of BEC attacks is one of the best ways to avoid falling victim to them. Also teach employees how to spot phishing emails since cybercriminals use them to gather information prior to creating the BEC emails.
- Do not use free web-based email accounts (e.g., Gmail) for business email accounts. Digital con artists often target businesses that use these accounts.
- Block the ability to automatically forward emails to external email addresses. This will prevent cybercriminals from forwarding company emails to their own accounts.
- Set up two-step verification for business email accounts. That way, these accounts will be more difficult to hack.
- Be careful about what you post on your business’s website. For example, do not post hierarchal information, as this information might help attackers determining the best person to target in a BEC scam.
- Consider implementing a social media policy that offers guidance on what employees should and should not post on social media sites. Digital con artists like to gather company-related information from these sites.