The Growing Threat of BEC Attacks

A corporate email network is an inherent digital tool used by any mid-sized or large business. The company name in the email address proves that your business is legitimate, thus, evoking more trust both from customers and from potential partners.

Ensuring quick and easy business communications, corporate mail is also a tasty morsel for the scammers and hackers. And, though companies use high-end data protection technologies for their email networks, cybercriminals still manage to find the loopholes to break through those security shields and use your data for their fraudulent schemes. BEC attacks are one of the biggest threats businesses are exposed to.

What Is a BEC attack and how does it work

BEC or business email compromise is a type of cybercrime or scam targeting companies aimed at achieving a specific goal like invoice scams or private data collection. Typically, the attackers seek to gain access to the email accounts of high-level employees and executives responsible for financial operations. By spoofing the email address and the owner’s identity or by simply creating an account that looks almost identical to the authentic one, scammers aim to make the company employee, customer, or partner transfer funds to their account or provide some sensitive information to be used in other cyberattacks. Most often, BEC attacks are preceded by malware intrusions to install harmful software on the victim’s computer or by the use of social engineering techniques, both aimed at getting access to confidential data and security info.

Here are the five most commonly used types of BEC attacks:

  • Bogus Invoicing is a tactic, which is usually applied to companies involved in supplier relations and is intended to persuade the employee to change the payee data and transfer the money to the alternate account controlled by criminals.
  • In a CEO Fraud, the attacker sends emails on behalf of the company CEO to finance employees requesting to wire funds to the fraudulent account.
  • Employee Account Compromise is a scam sending invoices from the hacked account to the company vendors and customers, and the funds are credited to phisher bank accounts.
  • Attorney Impersonalization is a scheme when fraudsters pretend to be lawyers or some other representative of law firms and pressurize the victims to make some payments.
  • Data Theft emails are sent to HR and accounting departments and request to provide some personally identifiable information, wage forms, or tax statements for later use in other frauds.

BEC attacks – no one can hide

Recent statistics on BEC attacks are distressing. BEC attacks grow, and this growth is very rapid. The Internet Crime Complaint Center reports that within a period of about five years (October 2013 – May 2018), there have been over 78,000 BEC attacks recorded in the US and internationally. The incidence covers 50 US states and 150 countries worldwide. And within the last three years, the estimate BEC-related global loss totals 26 billion US dollars. The fraudulent funds are predominantly transferred to the banks located in Asian countries.

Notably, the BEC threat is not only growing but also evolving. While earlier BEC phishing was mostly a problem for larger companies, today businesses of all sizes are at risk, including smaller organizations.

How to Protect Your Business

You can hardly stop BEC attacks once and for all since cyber crooks will invent new bogus scenarios and more sophisticated scams to try to defraud your company. However, there is a number of efficient strategies you can employ to protect your business:

  • No free email accounts. Free web-based email accounts are most exposed to attacks. Acquire your won domain name that will be authentic and specific for your company.
  • Multi-factor business email authentication. Use not only a password but also some other additional pieces of information to log in such as a dynamic pin, SMS messages, biometric data, etc. It’s especially important if you often login to your email account from different devices. This way, you’ll minimize the risk of a breach even if the hacker has your account name and password.
  • Use protective technologies. Today there is a whole lot of technologies and programs designed to identify and prevent email fraud. VPN services allow encrypting your email content and ensuring it will reach the desired recipient without being watched. Advanced filtering techniques and email gateways can help detect potentially malicious emails and send them to spam, while domain protection means (DMARC/DKIM/SPF) will guarantee the sender’s authenticity. It’s worth taking the time to find tools or technologies that will best suit your business and provide reliable data protection.
  • Avoid opening emails from unknown senders. Receiving dozens of emails daily, chances are high you can receive an email with malicious software. If you do that, never click suspicious attachments or links.
  • Don’t share too much online. Sharing too much of your personal and business data in social media will help cybercriminals create credible employee profiles. Thus, avoid posting full names and addresses, job descriptions, etc.
  • Verify your wire transfer or data requests. To avoid financial fraud and data theft, establish a standard procedure of dual verification. Before sending any confidential data or transferring funds, your employees should double-check it with the recipient either personally or via phone call.
  • Know your business contacts. In most cases, you have some sort of a standard operational procedure for communication and transactions with all your customers and vendors. If you notice that suddenly something has changed in their habits, it might be a fraud. For example, if they want to use a different email address or a different bank account, check and verify it through some other sources.
  • Train your staff. Forewarned is forearmed. Raising your employees’ awareness of BEC dangers is one of the best ways to remain safe. Implement ongoing security programs to train your employees on how to recognize fraudulent emails and ensure they know all the rules applied to confidential information, financial data, and other security records in your company.

Not as well-known as other phishing schemes, BEC attacks are by far the most costly type of scam. We often pay no attention to what appears to be a real threat. Hence, pairing efficient email security measures with personnel training practices is the best way to cut down the risk of BEC attacks for your business.

Avatar
About the Author

David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.

Leave a Reply

Your email address will not be published. Required fields are marked *