SEP. 09, 2021
- The FBI’s Internet Crime Complaint Center (IC3) estimates 2019 losses for business email compromise scams to be $1.7 billion
- Email is commonly cited as the No. 1 way hackers deliver malware to a user’s computer
- Business email compromise scams should be reported to the business’s local FBI field office and logged through the FBI’s IC3
Protecting your clients from BEC scams
Cybercriminals have a variety of tools and techniques at their disposal, including malware, ransomware and disruptive denial-of-service attacks. However, some of the most common and difficult-to-spot strategies hackers use are known as business email compromise, or BEC, scams.
The FBI’s Internet Crime Complaint Center (IC3) estimates 2019 losses for BEC scams to be $1.7 billion.1 In addition to tricking companies into wiring money, criminals can also use BEC scams to get employees to divulge sensitive data, financial information, proprietary information and trade secrets. As such, understanding common business email compromise scams and how to protect your business is crucial.
What is a BEC scam?
BEC is a form of fraud by which an attacker repetitively impersonates a seemingly legitimate email sender, such as a senior employee, vendor, organization or company. This is done to trick an email recipient into wiring money, providing confidential information or performing similar compromising actions, all of which can defraud a business and its employees, customers or partners.2
BEC scams are part of a larger cyberattack strategy known as social engineering. Social engineering attacks take advantage of human behavior (e.g., a trust of authority, fear of conflict or the promise of deals or rewards).
By preying on the trust of others, social engineers can gain access to computer systems and data simply by exploiting the weakest link in a security system: employees. Social engineers don’t need to have expert knowledge of a company’s computer network to break into a business. All attackers need to do is trick employees into giving out passwords, wiring money or believing that a malicious email is authentic.
When it comes to executing BEC fraud, an attacker may use social engineering techniques to3:
- Spoof a legitimate email account or website. For instance, if a CEO’s email is email@example.com, an attacker may alter it slightly to execute their scam and avoid raising suspicions (e.g., firstname.lastname@example.org).
- Send BEC phishing emails. Phishing is one of many types of cyberattacks in which a hacker disguises themselves as a trusted source online in order to acquire sensitive information. However, more resourceful criminals resort to a modified and more sophisticated technique called “spear-phishing,” in which they use personal information to pose as colleagues or other sources specific to individuals or businesses. With spear-phishing, cybercriminals narrow down the scope of their attack to a smaller group — sometimes just a handful of individuals. By doing this, hackers can conduct research and make the phishing email much more convincing based on a victim’s profile or online activity. Malicious hackers can find most of the information needed to carry out a spear-phishing attack right on the internet, particularly on company websites and social networking sites. It’s not uncommon for phishers to use a target’s personal information (e.g., name or address) or the personal information of their friends, family and colleagues as leverage in an email.
Introduce malware into a target’s system. In order to enhance the success of a BEC scam, the hacker may introduce malware, allowing them to find any information they can, then use it to successfully carry out their scam. Getting into the system is usually accomplished through email attachments or downloadable files from a website. Emails that contain malware often employ scare tactics (e.g., the threat of legal fees, termination and bankruptcy) to trick the victim into taking a specific action (e.g., clicking a link, downloading malicious software or completing a fraudulent form). In fact, email is commonly cited as the No. 1 way hackers deliver malware to a user’s computer.4
Common BEC scams
While cybercriminals will employ different tactics to deploy a business email scam, these emails often follow similar scenarios. According to the FBI, the following are some of the most common types of BEC fraud5:
- False invoice scheme. Using this tactic, cybercriminals pretend to be a business’s supplier and request fund transfers to complete an invoice. The strategy relies on social engineering and is often achieved using a spoofed email.
- CEO fraud. With CEO fraud, scammers pose as a high-level executive and request wire transfers. Attackers aren’t afraid to use psychology to their advantage. These criminals know that impersonating an individual or organization and urging immediate action can be incredibly persuasive. Often, these types of attacks threaten loss, punishment or added risk.
- Account compromise. In these types of BEC scams, an executive’s or employee’s email account is hacked directly. Then, the account is used to request invoice payments to vendors listed in their email contacts.
- Attorney impersonation. Here, attackers impersonate a corporate lawyer or law firm. Via email, attackers will claim they are handling confidential, time-sensitive matters that require the immediate transfer of funds. It’s not uncommon for attackers to reference publicly available information — such as news regarding mergers and acquisitions — to make emails sound more convincing.
- Data theft. In these scams, attackers will pose as human resource professionals or other employees who work in functional areas of the company. In these attacks, criminals aren’t after money, but rather sensitive data (e.g., names, addresses or birthdays). Cybercriminals can then use this information to carry out future attacks.
Understanding the different types of BEC scams is crucial, as it can inform employee training and other preventive measures.
Protecting against BEC scams
Above all, educating employees is essential to minimizing the risk of BEC fraud. Even the best security system will fail if a company’s staff is tricked into wiring money or providing sensitive information to criminals. To help protect against business email compromise, businesses should consider employing the following strategies:
- Set clear policies. Businesses should create policies that limit or eliminate the amount of sensitive information that is made available to employees, customers and the general public. Organizations should never allow employees to give out sensitive information, such as passwords and credit card numbers, over the phone. As a rule, avoid emailing personal or financial information.
- Prohibit employees from posting work-related information on social media websites. BEC scammers may spend weeks or even months learning about an employee’s habits and tendencies before deploying their fraudulent email. A simple post about being out of the office for a short length of time could be all the information an attacker needs to pull off a scam.
- Train employees. Include business email compromise training as part of larger cybersecurity education initiatives. This training should include interactive examples of BEC scams that relate directly to your employees’ work activities. Employees should be instructed to avoid clicking on anything in an unsolicited email. Employees should also be encouraged to carefully examine email addresses and URLs in emails before taking any action, asking questions along the way if they feel they have received something that is potentially harmful. Employees should be overly suspicious of emails, particularly those that:
- Come from unrecognized senders
- Ask them to confirm personal or financial information
- Aren’t personalized
- Are vague
- Are particularly urgent
- Include threatening, frightening and persuasive language
- Verify payment and purchase requests. When possible, verify purchase requests in person. Additionally, those in charge of transferring funds or making payments should confirm any change in account numbers or payment procedures with the person making the request using contact information already on file — not the contact information found in the email requesting the change.
- Whether funds were transferred from their account. Additionally, business email compromise scams should be reported to the business’s local FBI field office and logged through the Report attacks. In the event a company falls victim to a business email compromise scam, it’s important for them to act quickly. They should contact their financial institution immediately to determine FBI’s IC3.
Cyberattacks, including business email compromise scams, aren’t going away. In fact, they’re becoming more sophisticated. It’s not enough to simply install antivirus and anti-malware software to prevent BEC scams. To truly protect yourself, it’s crucial that companies and their employees stay aware and informed on the most recent types of cyberattacks and up-to-date protection strategies.
That includes researching and investing in technology solutions that can provide additional defenses against BEC scams. Software solutions, for example, can advise recipients when an email is from an external source, prevent an email from getting through if malware is detected, enforce basic password requirements, and provide even more sophisticated phishing attack detection tools. A small upfront investment may prevent a large loss down the road.
- Business email compromise scams are a form of fraud by which an attacker repetitively impersonates a seemingly legitimate email sender, such as a senior employee, vendor, organization or company
- By preying on the trust of others, social engineers can gain access to computer systems and data simply by exploiting the weakest link in a security system — employees
- Above all, educating employees is essential to minimizing the risk of BEC scams