Phishing attacks against businesses are becoming more sophisticated and widespread by the day. Perhaps one of the most damaging types of phishing attacks is Business Email Compromise (BEC), which specifically targets senior business leaders with the aim of accessing sensitive data or fraudulent payments.
Business Email Compromise attacks costs companies approximately $1.7 billion per year, according to an FBI cybercrime report. As such, it is vital for business owners and executives to establish safeguards against this pervasive threat. This article shares everything you need to know about identifying and preventing BEC.
What is Business Email Compromise?
Business Email Compromise is a type of phishing attack designed to gain access to sensitive business information and/or extract money through impersonation. Often, the targets of BEC attacks are senior business executives or members of your finance department who are accustomed to receiving payment requests by email. It is also sometimes referred to as Email Account Compromise (EAC).
It’s not hard to see why Business Email Compromise has become such a widespread form of fraud. After all, many of us rely on email to discuss business transactions every day. BEC scammers take advantage of this fact by sending email messages that seem to come from a known source making a legitimate request.
Business Email Compromise Examples
As just a few examples of how a common BEC scam may work, consider the following scenarios:
- An email that appears to come from an established vendor with your company containing an invoice with an updated mailing address.
- A message that seems to come from the CEO requesting the purchase of dozens of gift cards for employee rewards, which also asks for each card’s serial number so that the CEO can send them out immediately.
- An email that looks like it’s from a trusted business associate containing instructions on how to wire a recent payment.
While at first glance it may seem like very few professionals would fall for schemes like these, the reality is that versions of Business Email Compromise scams regularly occur, and cost businesses hundreds of thousands of dollars every year.
5 Types of Business Email Compromise Scams
Perpetrators of Business Email Compromise fraud may approach their target from one of several angles. According to research performed by the FBI, there are at least five categories of BEC scams.
1. Fake Invoice
Scammers often target companies with foreign suppliers when implementing this form of Business Email Compromise. This scheme involves the attacker pretending to be one of the business’ suppliers and requesting a fund transfer for a fraudulent vendor payment.
2. CEO fraud
Many Business Email Compromise scammers pose as a member of an organization’s C-suite (e.g., CEO, CFO, CIO, etc.). They may send an email to an employee in the company’s finance department, instructing them to transfer money to an account they manage.
3. Account Compromise
If an executive’s email account gets hacked, then the attacker can reach out to vendors in the account’s list of contacts and request invoice payments (which are then transferred to fraudulent bank accounts).
4. Attorney Impersonation
In some Business Email Compromise scenarios, scammers pose as an attorney from the law firm representing the company requesting access to critical, confidential business information.
5. Data Breach
This tactic is often used against employees in the HR and accounting departments. A scammer may try to extract personally identifiable information (PII) from someone in HR, or obtain a tax statement from an employee in accounting. Whatever data is obtained can then be used for future scams.
How to Prevent Business Email Compromise Attacks
Even though BEC attacks are commonplace in today’s business world, there are several steps you can take to reduce the risk of falling victim to such schemes.
1. Generate Awareness of Business Email Compromise
One of the most important measures to implement is simply generating awareness around common BEC attack scenarios. Be sure to educate your employees on telltale signs of a BEC scam, such as an email promoting a false sense of urgency. It’s also important to remind your employees that paying attention to details is crucial in fraud prevention. For instance, fake domain names with only one letter off may look legitimate without closer scrutiny.
Since BEC emails typically don’t contain any malicious links or attachments, they can sometimes slip through more traditional cybersecurity solutions. This makes employee training even more critical in terms of preventing Business Email Compromise fraud. Make sure employees understand that scammers will often “groom” their targets, and focus on exploiting any vulnerabilities, including natural human responses to authority. Of course, it’s also vital to have a well-defined chain of command through which employees can escalate any concerns they have about unusual requests received via email.
2. Establish a Culture of Compliance
Because Business Email Compromise scams are constantly evolving — and often mutating into more dangerous forms — it’s imperative to create and maintain a strong culture of compliance and collaboration. For example, many BEC scams are successful because they target mid-level personnel who very seldom communicate with executives or other stakeholders supposedly behind a transaction request. A culture of compliance will help such employees to clearly understand what security measures they should take before acting upon a request. A culture of collaboration will encourage them to directly approach the person who purportedly sent the message, and ask for confirmation of the request. When your employees are not subject to internal isolation, any BEC attack is significantly more likely to fail.
3. Set Up Technical Controls
In addition, there are certain technical controls you can set up that will filter out a sizable percentage of Business Email Compromise attacks from your employee inboxes. For instance, spam filters and virtual private networks (VPNs) can often prevent and/or detect a BEC spoofing attack. Data encryption is another option that should allow at least a majority of users to safely exchange information without worrying about BEC attacks.
Protect Your Business From Business Email Compromise
Business Email Compromise attacks are likely to continue to pose a threat for organizations of all sizes. However, you can greatly reduce your company’s risk of falling prey to unscrupulous fraudsters by educating your employees on the common methods and tactics of BEC scammers, training them to respond appropriately, and giving them the technical tools needed to maintain a high level of security. Want to learn more about improving your business’s cybersecurity? Get in touch with Electric today.