Business Email Compromise (BEC) involves cyber criminals hacking into an email account and impersonating the email owner. They aim to deceive the company, customers, employees, and/or partners, by tricking them to send sensitive data or money to the hacker’s account. The hackers usually target companies that have international suppliers and conduct wire transfers. Corporate email accounts of high-tier employees or executives related to finance are spoofed or compromised through social engineering and phishing. Later, they are used to conduct fraudulent money transfers that result in losses worth thousands of dollars.
BEC attacks are also known as “Man-in-the-Email” scams. The name is derived from man-in-the-middle attacks. This is when two communicating parties are intercepted by an attacker who is listening and altering the communication from both ends.
How Business Email Compromise Works
BEC scams start with an attacker researching publicly available data to identify relevant targets. They will go through the information from your website, social media and press releases. The hackers sift through the organisation’s hierarchy, official names and job titles of higher company executives, and sometimes travel plans with the help of auto-replies to emails. They then try to access the target email account by using malware, phishing or other social engineering techniques. In order to stay undetected, they may also alter the “reply-to” address so that the email owner does not get notified when the scam is carried out.
Another way is to create a spoofed email, which looks almost identical to the original email address, with a slight difference. For instance, instead of email@example.com, the attacker may use firstname.lastname@example.org. If the receiver does not pay close attention, they might think that the extra “inc” attached to the domain is official address. Another real-world example is that of a spoofed domain “Paypa1.com”, which was a scam website imitating money transferring website paypal.com.
After spying on official communications for some time, the attackers conclude which scam strategy will be most successful. They know who has the responsibility of wire transfers. And they manufacture a scenario that is convincing enough to initiate a quick transfer of funds.
Types of Business Email Compromise
There are five types of cyber-attacks in the form of scams that can result in a business email compromise.
Fake Invoice Schemes
In this type of scam, the targeted companies are often those that have foreign suppliers. The attacker pretends to be the supplier and requests fund transfer to an account that is owned by the attacker.
The hackers typically impersonate the CEO or higher management. They send an email to employees in the finance department, asking them to transfer money to their deceitful account.
In an Account Compromise, the attacker hacks an employee’s account and requests invoice payment to vendors that are listed in their contacts. These payments are sent to the attacker’s bank account.
In this type of scam, the attacker pretends to be an attorney or lawyer who is supposedly in charge of confidential matters of the company. They asks for immediate payment of money to keep everything confidential. These requests are normally done through phone or email, and at the end of a business day for least suspicion.
Business email compromise cyber attacks don’t only have a monetary motive. They also seek trade secrets or Personally Identifiable Information (PII) of executives and staff. This data is obtained usually by targeting accounts and HR employees. Cyber criminals can also keep this data to use for attacks in future.
How to Protect Against BEC Attacks
Before we look into how we can protect our business against BEC attacks, it’s important to know the reasons why these attacks are successful. There are mainly three reasons for this i.e. successful social engineering, insufficient security protocols and lack of employee awareness. If we target these three areas as a part of our cyber security policy, we can protect our business against these attacks.
Firstly, implement multi-factor authentication as a mandatory part of IT your security policy. Authentication helps prevent unauthorised email access, particularly if the attacker is attempting to login from a new location. It is also vital to train your employees regularly about cyber security best practices. The evolving cyber landscape requires proactive and updated training. Employees need to know how to spot and save themselves from falling for such scams. They should know how to identify fake emails and be skeptical about urgent money transfer requests coming especially from executives. Never fulfill a payment request unless verified via phone or in person.
Current State of BEC Attacks
According to a recent Targeting Scams report by Australian Competition and Consumer Commission (ACCC), Australian businesses lost around $132 million as a result of BEC attacks in 2019. This accounted for the highest financial loss incurred among all types of scams that year. The same year, a man in Lithuania was found guilty of single-handedly stealing $123 million, by conducting BEC scams targeted at Facebook and Google. He registered a fake business, impersonating as a legitimate supplier of the tech juggernauts, forged invoices, letters, and contracts to make his requests look legitimate to the recipients.
Two global tech giants succumbed to a BEC attack. This is a practical example of why focusing on cyber security is important for every business. These companies invest heavily on training and have security professionals tasked with protecting against every kind of cyber attack. If it can still happen to them, it can happen to any other business. Business Email Compromise scams are an existential cyber threat and we need to improve our cyber security measures proactively.
Kaine Mathrick Tech’s Cyber Security Solution
Discover your business’ cyber strengths and shortcomings when faced with Business Email Compromise, with our FREE Cyber Security Risk Assessment. We offer a complete Cyber Security solution, tailored specifically to your business, to help minimise downtime and financial risk if confronted by a cyber attack. To find out more about how to best protect your business, book a FREE Cyber Security Assessment with us here.