Business email compromise (BEC) attacks have increased 1,300% since January 2015, totaling over $3 billion in losses according to the FBI’s Internet Crime Complaint Center .
A BEC attack is a type of cybercrime in which an attacker tricks an employee into transferring money by impersonating a high-level executive. Criminals deploy a range of strategies to fool their victims, most often using spear-phishing and malware.
Attackers can also gain access to an organization’s network to examine vendors, billing systems, and the CEO’s email communications and travel schedule.
Then they send a fake email to an employee in the finance office, such as a bookkeeper, accountant, or chief financial officer, requesting an immediate wire transfer to be made to a trusted vendor that appears to be from the CEO. The employee wires money using what seems like the organization’s legitimate account but the transfer ends up in the criminal’s account due to slight variations in the account numbers.
3 common characteristics of BEC attacks
BEC attacks frequently target employees who handle the financial transactions for an organization. Criminals appropriate personal information using social engineering to personalize fraudulent emails (and sometimes phone calls) by gathering birth dates, favorite foods, and places of residence from social media and other online sources. Beware of the following three common characteristics:
1. Spoofed email and websites
Attackers will add imperceptible differences to legitimate organization addresses to make fake accounts look authentic. Using a spoofing tool, the victim’s email responses are redirected to the criminal’s account while it appears that they’re communicating with the CEO.
2. Spear-phishing requests
A scam email is supposedly sent from a high-level executive within the organization claiming that a vendor requires prompt payment.
3. Malware in an organization’s network
Malware is used to get into legitimate email threads that contain information about billing and invoices to avoid raising the suspicions of an accountant or financial officer. Attackers can also obtain passwords and financial account information.
Why cybersecurity training is essential
The best way to defend your organization from BEC attacks is to implement cybersecurity training for employees so that security is their priority and they’ll report any suspicious activity without fear of punishment. Organizations can also run phishing simulations to test everyone from employees to C-suite executives. It’s also important to teach employees to verify the authenticity of any financial request by walking into the CEO’s office or speaking to them directly on the phone.
An email gateway can be set up to flag terms like “payment,” “urgent,” sensitive” and “secret” that are usually found in scam emails. Organizations should also register as many related domains as possible to lessen the risk of email spoofing, and avoid using free, web-based email services.
Attackers make funds lost to a BEC attack difficult to recover using worldwide money laundering networks and illicit money exchangers. Your organization can prevent BEC and other email threats with Paubox Email Suite Plus, which includes real-time advanced threat protection features like patent-pending ExecProtect that stops display name spoofing attacks from reaching your inbox.