What is a Business E-mail Compromise (BEC)?
Pretending to be the CEO:
Aside from mass-distributed general phishing campaigns, criminals target key individuals in finance and accounting departments via business-email compromise (BEC) scams and CEO email fraud. By impersonating financial officers and CEOs, these criminals attempt to trick victims into initiating money transfers into unauthorized accounts.
Typically, attackers compromise the email account of a senior executive or financial officer by exploiting an existing infection or via a spear phishing attack. The attacker lurks and monitors the executive’s email activity for a period of time to learn about processes and procedures within the company. The actual attack takes the form of a false email that looks like it has come from the compromised executive’s account being sent to someone who is a regular recipient. The email appears to be important and urgent, and it requests that the recipient send a wire transfer to an external or unfamiliar bank account. The money ultimately lands in the attacker’s bank account.
According to the FBI’s Internet Crime Complaint Center, BEC scams have generated more than $4.5 billion in actual and attempted losses, and they are a massive global problem.
How can you defend your company from BEC?
Businesses are advised to educate employees on how BEC scams and other similar attacks work. These schemes do not require advanced technical skills, use tools and services widely available in the cybercriminal underground, and only needs a single compromised account to steal from a business.
As such, here are some tips on how to stay safe from these online schemes:
- Carefully scrutinize all emails. Be wary of irregular emails sent by high-level executives, as they can be used to trick employees into acting with urgency. Review and verify emails requesting funds to determine if the requests are out of the ordinary.
- Raise employee awareness. While employees are a company’s biggest asset, they can also be its weakest link when it comes to security. Commit to training employees, review company policies, and develop good security habits.
- For example make use of the Security Awareness App to improve the security awareness level of your staff.
- Verify any changes in vendor payment location by using a secondary sign-off by company personnel.
- Stay updated on customers’ habits, including the details, and reasons behind payments.
- Verify requests. Confirm requests for fund transfers when using phone verification as part of two-factor authentication, use known familiar numbers, not the details provided in the email requests.
- Report any incident immediately to law enforcement or file a complaint with the Autoriteit Persoonsgegevens.
How can employees defend themselves against BEC?
In order to avoid becoming a victim of a BEC scam, employees should take the following precautions when actioning emails:
- Independently verify – Contact the person making the request via phone or in person to confirm the request.
- Content – Does it ask you to click on an unfamiliar link or download an attachment? Does the email contain errors, or is it illogical or unusual in its language or request?
- Hyperlinks – If you hover the mouse over a hyperlink, does the content match the actual link?
- Attachments – Is the title or format unfamiliar or different from the request? The only file types that are always safe are .txt files.
- Address – Does it match the business name, are there discrepancies in the spelling or order of the name if internal, or is it from an outside source that is suspicious?
- Subject – Is the subject irrelevant or different from the content of the letter? It may state that it is a reply to an email you have not sent.