What Is Business Email Compromise (BEC)?

Business Email Compromise (BEC) is an intelligent email scam that typically targets employees of companies who regularly send wire transfers to their partners.

Often referred to as Man-in-the-Email, Business Email Compromise, uses spoofed or compromised email accounts to trick email recipients into providing company information, sending money, or sharing company innovations and technology.

BEC is a social engineering technique that relies on winning the trust of the email recipient. The cybercriminals behind BEC know that most people don’t carefully scrutinize sender email addresses or notice slight discrepancies in URLs.

These techniques along with familiar, urgent, and strategic email wording, make it very difficult for company employees to quickly and easily recognize BEC threats.

BEC cybercriminals use phishing, spear phishing, and social engineering to impersonate company executives, accounting departments of partners and other senior members of the organization.

How Common is BEC?

According to the FBI and the Internet Crime Complaint Center (IC3), BEC has grown into a $12 billion a year scam.

Research and statistics collected by the IC3 between October 2013 and May 2018 underscore the serious nature of BEC:

Domestic and international incidents: 78,617

Domestic and international exposed dollar loss ($B): 13

Total U.S. victims: 41058

Total U.S exposed dollar loss ($B): 3

Total non-U.S. victims: 2565

Total non-U.S. exposed dollar loss ($M):  672

BEC is a cybercrime that knows no boundaries, it has been reported in 50 U.S states and 150 countries with wire transfers being sent to 115 different countries. BEC is a global cybercrime that impacts all types and size of businesses.

The above statistics reinforce how prevalent and dangerous BEC attacks are to companies and the individuals who are tricked into giving up money, company information, and technology.

The Internet Crime Complaint Center (IC3) division of the FBI recommends that company employees remain suspicious of email requests for secrecy or pressure to take action quickly.

Cyber security awareness training and continual education is key in reinforcing the importance of being cyber aware when it comes to emails and the inbox.

What Are The 5 Types Of BEC Scams?

Bogus Invoice Scheme

Using malware or another phishing technique, the cybercriminal infiltrates the company’s email system. The cybercriminal then takes over an employee email account that is typically used to request invoice payments and fund transfers.

The cybercriminal sends an email from the compromised account asking another employee to transfer funds or make an invoice payment to a specific account. Often the email is written with an urgent tone. The targeted employee trusts the email sender and inadvertently sends funds to a fraudulent account connected to the cybercriminal.

CEO Fraud

The cybercriminal spoofs the executive’s email account and then uses this identification to steal from the company. Typically, the spoofed email account will be slightly different from the real account – for example, [email protected] instead of [email protected]

Using this email address and identity, the cybercriminal sends an email with a subject line and message requesting an urgent money transfer. The email recipient trusts the sender and does not feel compelled to double-check the email address for accuracy. The email recipient sends the funds as asked and doesn’t verify the bank name or company name associated with the transfer.

Account Compromise

Using savvy phishing techniques, an employee’s account is hacked. The cybercriminal mines the employee’s contact list for company vendors, partners and suppliers. Emails are then sent from the hacked account to these key contacts requesting payments be sent to a fake account controlled by the cybercriminal.

Attorney Impersonation

Employees or the CEO are contacted by a cybercriminal posing as a lawyer who is acting for the client. The cybercriminal makes it clear that this email conversation is time-sensitive and should be kept confidential. Feeling under pressure and believing they’re doing the right thing, the BEC victim sends the requested funds.

Savvy cybercriminals often use this BEC scheme on a Friday afternoon or before the start of a holiday, when they know the email recipient is rushing to get work completed.

Data Theft

The cybercriminal takes over the company email of one or more human resources team members. These email addresses are used to send requests for confidential information about employees, the company, partners and investors. This data is then later used by the cybercriminal as part of a larger BEC attack or a more advanced cyber attack against the company.

These BEC schemes underscore the importance of providing employees with security awareness education and knowledge that reinforces the importance of paying attention to email addresses, company names and requests that have even a hint of suspicion.

How Does BEC Happen?

Because of the nature of the cyber fraud and crime, a BEC attack requires a strategic and thorough approach.

1. The cybercriminal spends time researching the target company. The criminal uses publicly available information such as press releases, LinkedIn profiles, website content, and social media posts to collect the names and titles of key personnel. Some cybercriminals go so far as looking for travel plans, conference attendance details, company partners and investors, new product information and basic facts about the company.

2. Using this information, the cybercriminal then either hacks the company email system using a phishing technique or spoofs an email account of a key employee.
3. Once inside the company, the cybercriminal uses this email access and the information they’ve collected about the company to send targeted, familiar and urgent emails to employees who the criminal believes will respond accordingly.
4. Unsuspecting employees receive emails from the cybercriminal masquerading as a colleague, lawyer or company partner requesting a payment, fund transfer or confidential information.
5. Because the email address is familiar and the request is not out-of-the-ordinary, the innocent employee doesn’t think twice and does exactly as the cybercriminal requests. Typically, the employee believes they are acting in the best interest of the company by paying an overdue invoice or transferring funds to a new company partner.

It’s important to remember that BEC schemes rely on savvy social engineering techniques and the human element of trust.

Phishing simulations allow you to identify which employees are prone to BEC scams and phishing attacks, demonstrating to employees how easy it is for cyber security attacks like BEC to happen.

How To Prevent BEC Attacks

1. Educate your employees about the five types of BEC attacks. Take advantage of free phishing simulation tools to educate and identify BEC and phishing risk.
2. Use proven security awareness training and phishing simulation platforms to keep BEC and social engineering risks top-of-mind for employees. Create internal cyber security heroes who are committed to keeping your organization cyber secure.
3. Remind your security leaders and cyber security heroes to regularly monitor employee BEC and phishing awareness with phishing simulation tools. Take advantage of BEC modules to educate, train, and change behavior.
4. Provide ongoing communication and campaigns about cyber security, BEC and social engineering. This includes establishing strong password policies and reminding employees about the risks that can come in the format of emails, URLs and attachments.
5. Establish network access rules that limit the use of personal devices and the sharing of information outside of your corporate network.
6. Ensure that all applications, operating systems, network tools and internal software are up-to-date and secure. Install malware protection and anti-spam software.
7. Incorporate cyber security awareness campaigns, training, support, education and project management into your corporate culture.

WHAT IS PHISHING SIMULATION?

Phishing simulation is the best way to raise awareness of BEC risks and to identify which employees are at risk for BEC scams and phishing.

BEC relies on phishing techniques to gain access to the company email system and uses social engineering techniques to convince employees to act as requested.

Phishing simulation allows you to easily incorporate cyber security awareness training into your organization in an interactive and informative format.

People see first-hand how personalized trustworthy emails are used to steal personal and corporate information. Real-time BEC and phishing simulations are an accessible way for any organization to educate people and increase alertness levels to BEC schemes and techniques.

How Can Phishing Simulations Help Prevent BEC?

Phishing simulations allow you to reinforce to your employees how easy it is to be a victim of a BEC attack.

Using real-world examples and sophisticated phishing simulations, employees realize why it is important to verify email addresses and to confirm requests for funds or confidential information before acting.

Phishing simulations give your organization these top 10 benefits in the defense against BEC scams and other cyber security threats:

1. Measure the degrees of corporate and employee vulnerability
2. Eliminate the cyber threat risk level
3. Increase user alertness to BEC and phishing risk
4. Instill a cyber security culture and create cyber security heroes
5. Change behavior to eliminate the automatic trust response
6. Deploy targeted anti-phishing solutions
7. Protect valuable corporate and personal data
8. Meet industry compliance obligations
9. Assess the impacts of cyber security awareness training
10. Segment BEC and phishing simulation

Learn More About BEC

To learn more about BEC and how you can keep your organization cyber secure, simply contact the principal, David McHale at [email protected]