Business Email Compromise (BEC) scams are a growing problem, costing U.S. companies over $1.5 billion in business losses, according to the FBI’s statistics. As one of the most dangerous cyber threats targeting businesses of all sizes, it’s important to understand what it is, how it works and how to detect one.
What is a Business Email Compromise (BEC) Scam?
It’s a cyberattack in which the attacker gains access to a business email account and then spoofs the owner’s identity, most often for the purpose of defrauding the target (or its employees, customers or partners) of money. An alternative to a spoofed email is to create one that is very, very similar to one that is on the corporate network – perhaps just off by one or two characters. (EX: CompanyABDC.com instead of CompanyABCD.com.)
Under both scenarios, the attacker can use the identity of someone on an established corporate network to then trick one or more of that person’s contacts into sending them money (or information).
BEC scams are also referred to as man-in-the-middle attacks, as well as spear phishing. They are generally associated with social engineering tactics as well, since they will often create an extreme sense of urgency around the request.
What makes this type of scam so dangerous is how targeted and well-crafted the emails often are. They usually appear to be coming from high-ranking individuals – business leaders that lower level employees aren’t necessarily going to question or challenge, even if the request seems unusual.
The most sophisticated criminals will even monitor corporate communications for an extended period of time, gathering information about standard operating procedures, communication styles and the best timing for a financial request.
As a result, a thoroughly researched and smartly crafted BEC email can be virtually impossible to detect until it’s too late.
How Does a BEC Scam Work?
As noted above, the intent of this scam is often to steal money. But increasingly, the goal is personal information - such as an employee's W-2 -- that can then be used for identity theft or other malicious purposes.
In its most traditional form, a BEC includes a spoofed email from an authority figure within a company, sent to the person who is authorized to transfer funds. A good one will look just like a legitimate email, and will also mimic the normal tone and communication style of the supposed sender.
Because they mirror an authentic request so closely and because they tend to be from authority figures, they very rarely rouse any suspicion. As a result, the request is approved and the transfer or change request is carried out, or the personal information is sent. And once the money or information (or both) are in the attacker’s hands, there is no way for a business to get it back.
Some specific examples of how BEC can be used to defraud a business include:
- The criminal spoofs an executive’s email such as the CEO, and then sends a request to the finance team or HR to make an emergency payment via wire transfer
- The attacker might use an employee’s email to send a change in payee information, redirecting legitimate payments to the business into the attacker’s own account instead
- An email from an attorney’s network can be used to pressure a business to make a payment immediately…these are often sent at the end of the business day, leaving the recipient with little time to decide
- A BEC scam may be used to gather additional personal and confidential information and build up a target’s profile for later use
- Businesses may be targeted using customer accounts…for example, a financial services firm may be targeted with an email that appears to be from a client, requesting a wire transfer
How to Detect – and Avoid – a BEC Scam
Because these scams are much more sophisticated, they are by nature difficult to detect. Looking for grammatical errors, misleading URL’s, or even differences in the tone of voice (all the typical red flags of a phishing attack) might turn up no obvious red flags, even when it is a BEC scam.
But that doesn’t mean you can’t protect yourself. With BEC scams, self-protection policies are your best line of defense.
- Protect your email – the better security you have around your email, the less likely it is that it can be spoofed to begin with. Your business should establish a secure company domain instead of relying on free web-based email accounts.
- Be careful about how much information gets shared via your website, social media sites, and even out-of-office messages
- Register all company domains that are slightly different than your actual company domain; this can protect you from missing an email from a domain that is just one character different from yours (i.e. jsmith@your_company.com vs. firstname.lastname@example.org)
- Train your entire team about the red flags of a phishing attack, social engineering tactics, and BEC scams so that everyone is aware and knows to be alert and even suspicious
- Immediately flag any emails that contain the words “urgent”, “sensitive” or “secret” and require further verification before proceeding
- Require two-step verification for ANY financial transaction that is requested via email…either call the person directly, or create a new email and enter the person’s known email address – don’t use "reply", as that will just get routed to the attacker who will happily verify it.
- Verify directly with the supposed sender any request – for information or money – that seems out of character or odd in any way
- Have standard procedures in place with your HR and/or Finance Team so that they know they have leeway to verify anything that seems questionable or at all suspicious. These scams work in part because they rely on the established hierarchy, so as a business leader it’s important that you break down those barriers so team members feel comfortable expressing concern, even if they are unfounded.
- Make sure you have anti-virus and anti-malware software installed and that it’s kept up to date – this is often how an attacker gains access to your network initially
- Enabling Multi-Factor Authentication (MFA) can also help protect email accounts from being compromised to begin with
Want more great technology updates, news and other industry information delivered directly to your inbox? Subscribe to the blog and each week you'll get new useful tech news you can use!