Business email compromise (BEC) has grown to be one of the most financially damaging cybercrimes. In 2020, the Internet Crime Complaint Center received 19,369 BEC complaints, which accounted for $1.8 billion in losses to businesses.
This crime exploits people’s reliance on email to conduct business, targeting both organizations and individuals. In a BEC scam, a cybercriminal compromises legitimate business email accounts then targets a business or individual to make some kind of request, usually involving a transfer of funds. These funds are then unwittingly transferred by the target into a fraudulent account controlled by the cybercriminal.
Business email compromise exploits people’s reliance on email to conduct business, targeting both organizations and individuals.
What makes BEC attacks so threatening is the difficulty to identify them. The attacker will often pose as someone the recipient would trust, like your supervisor the company’s CEO. These attacks typically don’t use malware or malicious URLs, instead they rely on impersonation and social engineering tactics to trick unsuspecting targets, making the attacks difficult to detect.
Although ransomware dominates cybercrime headlines, the $29 million in losses attributed to ransomware last year are minuscule compared to the $1.8 billion in losses associated with business email compromise. In 2020, BEC comprised 37% of all cybercrime losses. Due to the difficulty to identify BEC, it’s likely that a significant number of losses go unreported.
Types of BEC Scams
The FBI defines 5 major types of BEC scams:
False Invoice Scheme: Attackers commonly target companies with foreign suppliers in this tactic. The scammer pretends to be the supplier and requests fund transfers to fraudulent accounts
CEO Fraud: Attackers pose as a CEO or company executive and send an email to an employee in finance, requesting them to transfer money to an account controlled by the attacker.
Account Compromise: An employee’s email account is hacked and used to request payments to vendors listed in their email contacts. Payments are then sent to bank accounts controlled by the attacker.
Attorney Impersonation: Attackers will impersonate a lawyer and request private information from lower-level employees, who would not have the context or knowledge to know that the request is false. These requests typically happen at the end of the day, utilizing time-sensitive delivery as a method to manipulate the employees.
Data Theft: This attack typically targets HR employees to obtain personal identifiable information about individuals like employee tax statements. This data can then be leveraged for future attacks like CEO fraud.
How to Prevent BEC Attacks
Since BEC scams rely on human error for success, a strong defense requires educating employees on potential attack warning signs. Here are some tips recommended by the FBI to help protect your business from a BEC threat.
- Be wary of the information you share online. By openly sharing things like pet names, schools you attended, family members, and your birthday, you can give a scammer hints to guess your password or answer your security questions to gain access to your personal accounts.
- Don’t click on any attachments or links in an unsolicited email or text message asking you to update or verify account information. Look up the company’s phone number (don’t use the contact information in the suspicious email or text) and call the company to ask if the request is legitimate.
- Carefully examine the message’s email address, URL, and spelling. BEC emails may use spoofed email addresses that are easy to miss if you aren’t paying attention.
- Never open an email attachment from someone you don’t know.
- Set up two-factor authentication on any account that allows it as an extra security measure.
- Verify payment and purchase requests by calling the requestor to make sure it is legitimate.
- If the requestor is pressuring you to act quickly it may be an indication of a scam.
Trust your instincts. If an email or an attachment seems suspicious, do not click on it and seek verification from a second source.
For additional cybersecurity tips and resources check out our Cyber Security Resources page.