As businesses in this modern age of information, you are likely on high alert for many of the cybersecurity threats that businesses can face on a daily basis. One of the most common, fastest growing and potentially damaging is Business Email Compromise.
Business Email Compromise, also known as BEC for short, is a type of cybersecurity threat that involves cyber attackers impersonating company owners or executives to trick employees into transferring large sums of money or revealing confidential data. Attackers accomplish this by using a variety of techniques that manipulate users into sending money or data.
The FBI Identifies 5 types of Business Email Compromise Scams:
- CEO Fraud: Here the attackers position themselves as the CEO or executive of a company and typically email an individual within the finance department, requesting funds to be transferred to an account controlled by the attacker.
- Account Compromise: An employee’s email account is hacked and is used to request payments to vendors. Payments are then sent to fraudulent bank accounts owned by the attacker.
- False Invoice Scheme: Attackers commonly target foreign suppliers through this tactic. The scammer acts as if they are the supplier and request fund transfers to fraudulent accounts.
- Attorney Impersonation: This is when an attacker impersonates a lawyer or legal representative. Lower level employees are commonly targeted through these types of attacks where one wouldn’t have the knowledge to question the validity of the request.
- Data Theft: These types of attacks typically target HR employees in an attempt to obtain personal or sensitive information about individuals within the company such as CEOs and executives. This data can then be leveraged for future attacks such as CEO Fraud.
These hackers exploit the fact that many businesses rely on email for day-to-day business communication, especially with the onset of the COVID-19 pandemic.
The annual cybercrime report from the FBI’s Internet Crime Complaint Center (IC3) reveals that in 2023 BEC caused over $2.9 billion worth of losses to businesses. BEC encompassed nearly 38% of all victim losses, compared to the infamous ransomware attacks, which only made up 1%.
These numbers are no small feat and every business, no matter the size, is at risk. Small businesses are even more at risk because they are easier to infiltrate and act as a gateway to breach larger organizations. For these reasons it is more important than ever to ensure you are protecting your business from Business Email Compromise.
Luckily, there are several steps you can take to better equip your organization against Business Email Compromise. These include:
- Don’t open emails from unknown parties: If you do, do not click on any links or attachments in the email content.
- Double-check the sender’s email: A spoofed email often uses email addresses that at first glance appear to be the legitimate source. For example, you may see a fraudulent email “johnsmith@perception_point.io” mimicking the legitimate source “[email protected]”.
- Analyze the links: Hover over the hyperlinks in the email to view a preview before clicking on them to ensure they are coming from a legitimate and safe source.
- Spell-check the content: Be on the lookout for slight spelling errors or an aggressive tone asking the user to send money immediately: these are surefire giveaways of a BEC scam.
- Verify the content: Any suspicious requests made over email should be verified in-person with the real sender. For example, if the “CEO” asks to send you money, directly contact your CEO and ask if they sent the email.
- Educate your team on Cybersecurity and Business Email Compromise: Teach your team how to better detect these emails.
- Invest in a quality email security service: This is the best way to prevent your organization from future BEC scams.
- Set up two-factor or multi-factor authentication: Setting this up on all of your organization’s business email accounts will provide more email security against BEC scams.
Perception Point’s advanced email security service employs next-generation detection capabilities to ensure that these malicious BEC emails never breach your company’s inboxes. For example, Perception Point’s advanced email security service was able to intercept a wide-scale BEC Microsoft Spoofing attack.
Here’s some related content you may enjoy:
BEC, Spear Phishing & Collaboration Examples in a single attack
