Business Email Compromise (BEC) is a type of scam targeting all types of companies via email and is considered a form of targeted phishing or spear phishing attacks. Publicly documented email accounts of executives, high-level employees related to finance, or employees involved with wire transfer payments are often spoofed or compromised with keyloggers or phishing attacks to perform fraudulent transfers. These have resulted in hundreds of thousands of dollars in losses. In 2016 alone, BEC attacks totaled an average of US $140,000 in losses for companies globally.
Some of the sample email messages have subjects containing words such as: request, payment, transfer, and urgent. There are five types of BEC scams:
Account Compromise - An executive or employee’s email account is hacked and used to request invoice payments to vendors listed in their email contacts. Payments are then sent to fraudulent bank accounts.
Attorney Impersonation - Attackers pretend to be a lawyer or someone from the law firm supposedly in charge of crucial and confidential matters. Often these bogus requests are done by email or phone and at the end of the business day.
Bogus Invoice - Companies with foreign suppliers are often targeted with this tactic, wherein attackers pretend to be the suppliers requesting fund transfers for payments that actually go to an account owned by fraudsters.
CEO Fraud - Attackers pose as the company CEO or another executive and send an email to employees in finance requesting them to transfer money to the account the fraudster controls.
Data Theft – Employees under HR and bookkeeping are targeted to obtain personally identifiable information (PII) or tax statements of employees and executives. Such data can be used for future attacks.
Because these scams do not have any malicious links or attachments, they can evade traditional protections. Employee training and awareness can help enterprises spot this type of scam.
Formerly known as Man-in-the-Email scams, BEC attackers rely heavily on social engineering tactics to trick unsuspecting employees and executives. They impersonate the CEO or any executive authorized to do wire transfers. In addition, fraudsters also carefully research and closely monitor their potential target victims and their organizations.
At Castle Technology Partners, we believe in technology that works for you, not against you. We offer BEC training and cybersecurity training. Reach out to us today at www.castletechnologypartners.com/ or call (251) 313-0411 to get started.