Business Email Compromise: Recognize It If You Can

BEC (Business Email Compromise) is an advanced email cyber-crime scam, when an attacker poses as someone the recipient should trust. He can pretend a colleague, boss, or supplier to make the victim transfer the funds to a wrong bank account, or urgently pay a fraudulent invoice.

According to the FBI report, in 2020 BEC scams resulted in $1.8 billion loss for companies – far more than via any other type of cybercrime, including ransomware. Here is a few tips you need to know about BEC to be able to withstand it.

It happens even to giants

When going on stage, attackers may adopt different strategies, including targeting long-standing wire-transfer relationships with a supplier. Alternatively, he can also pretend to be a new partner, that makes it more difficult to recognize fraud.

This is what happened to Google and Facebook in 2013-2015, when they became victims of the biggest BEC with the collective loss amount of almost $121 million.  A fake company “Quanta Computer” impersonating their real hardware supplier provided the technological giants with invoices, that were properly paid.

My team can recognize the manipulation, can’t it?

BEC scam is also known as CEO Fraud, as  hackers often impersonate senior company executives or CEOs, aiming to trick you into transferring money to a fraudulent account owned by themselves or revealing sensitive information. It is all about authority as well as sense of urgency that are catalysts for 432 combinations of phishing attack vectors, aiming to leverage from human emotion manipulation. The attacks often bet, that the presence of a C-suite executive as the sender would guarantee  the malicious email to get the employee’s attention and make him easily fall into the trap.

“We need the company to be funded properly and to show sufficient strength toward the Chinese. Keith, I will not forget your professionalism in this deal, and I will show you my appreciation very shortly.” – this is a part of an accurately crafted fraudulent email to an employee at Scouler Co. The criminals successfully impersonated his boss, that resulted in $17.2 million acquisition scam incident.

Higher BEC probability follows other security incidents

Once cybercriminals have identified the target company, a true analysis starts. Trying to get as much information as possible, they look for the corporate organization structure, including the names of executives and associated employees, study the communication habits of key individuals, or intentionally send spam emails to see if the executive is out of the office. This reconnaissance phase can last from a few days to a few months, and it’s aimed at gaining maximum credibility, when springing into action. Any successful security breaches in the past can also prepare the ground for a successful scam realization.

In 2019 after experiencing a few cyber-attacks, Toyota ended up in a BEC incident. Knowing enough internal details, the attackers managed to convince the company’s employee to transfer $37 million dollars to a foreign account, presumably belonging to the company’s European subsidiary. In other real life cases fraudulent emails are often followed up by phone calls from a person who may sound very reliable to clarify any concerns about the payment.

How to protect your company

Business Email Compromise scam exposes companies of all sizes to severe financial risks and losses. However, there are actions you can take to help better prepare your employees, monitor your systems, and safeguard large financial transactions:

• Use multi-factor authentication for all key applications, in order to minimize the risks associated with credential theft and compromise
• Implement a solution, which is able to detect incoming fraudulent emails
• Establish policies for authorizing large wire transfers and unexpected payments
• Train your employees to keep them alert to the most recent methods of attack and how to detect them, making them understand how to spot suspicious emails and handle them

Image by CC Express