Over the past three years, Business Email Compromise (BEC) schemes have caused at least $5.3 billion in total losses.
Business Email Compromise is a form of cybercrime in which an attacker gets control of a victim’s business email account and imitates the owner’s identity to defraud the company and its employees. It is usually a spear phishing attempt where the top executive of an organization is targeted, and the organization’s data is exploited. This is also described as the “man in the email” attack. Over the past three years, BEC schemes have caused at least $5.3 billion in total losses to approximately 24,000 enterprises around the world.
Before you continue reading, how about following us on LinkedIn?
According to the 2020 Verizon Data Breach Investigation report, phishing attacks are considered the top threat action. Credential theft and social attacks such as phishing and Business Email Compromise (BEC) are at the heart of most breaches. Victims of BEC scams reported $1.78 billion in losses to the FBI’s Internet Crime Complaint Center in 2019. Examples include invoice scams and spear phishing spoof attacks which are designed to gather information for other criminal activities. Based on the FBI, there are five types of Business Email Compromise (BEC) scams:
- The Bogus Invoice Scheme
Companies with foreign suppliers are targeted with this trick, wherein attackers pretend to be suppliers requesting for fund transfers for payment to an account managed by fraudsters.
- CEO Fraud
Attackers pose as the CEO and send an email to the Finance team of the company and ask them to transfer money to an account that the attackers control.
- Account Compromise
An executive or employee email account is hacked, and an email is sent to a vendor that is listed in the victim’s contact list requesting for fund transfer to an account controlled by the attacker.
- Attorney Impersonation
Attackers pose as an attorney or someone from the law firm and pretend to be taking care of confidential and immediate matters. Such emails are usually sent at the end of the day.
- Data Theft
Employees under HR and bookkeeping are targeted to obtain Personal Identifiable Information (PII) and/or tax statements of employees and executives. This information is recorded and used for future attacks.
In a general approach, the Business Email Compromise (BEC) scams are carried out in four steps:
Step 1: Identify a target
Organized crime groups gather available information online for a business and develop a profile on the company and its executives.
Step 2: Grooming
Spear phishing emails and telephone calls are targeted at the company’s executives. The victim is usually a top executive of a company who has easy access to the company’s confidential information.
Step 3: Exchange of Information
The spear phishing email by the attacker looks like they are sent from a trusted sender asking for confidential information. The victim is convinced that the source of the email is genuine and conducts a legitimate business transaction. In most of the cases, the victim is then provided wiring transaction details to transfer the required amount.
Step 4: Wire Transfer
Upon transfer, the funds are steered to a bank account that is controlled by the organized crime group. This does not stop here and the perpetrators may continue to lure the victim into transferring more funds.
According to the annual report released by the Internet Crime Complaint Centre (IC3), here is a table with statistics illustrating the financial magnitude of the risk.
|Year||Total Financial Losses||Loss from BEC||% of Total Financial Losses BEC|
Overall, Business Email Compromise (BEC) attacks have resulted in losses over $3 billion and this number is expected to rise to $20 billion this year due to the increased usage of IoT devices, which are easier targets for ransomware attacks. These scams tend to evade traditional IPS/IDS solutions since they do not have any malicious links or attachments. When a person discovers that they are a victim to such an incident, they should immediately contact the financial institution to recall the funds. Then, they should file a complaint with www.ic3.gov or, for BEC/EAC victims, BEC.IC3.gov.
The best way to avoid exploitation is to verify the authenticity of the emails by checking with the executive by phone or in person. Additional defenses against Business Email Compromise (BEC) attacks recommended by the FBI are:
- Intrusion Detection System Rules – Setup rules to detect and flag any spoof email accounts. For example, if the legitimate email is xyz_business.com, it would flag an email from xyz-business.com as fraudulent.
- Email Rules – These flag email communications where the reply-to email address is different from the from email address.
- Color Coding – Categorize the emails so that emails from employee/internal accounts are one color and email from employees/external accounts are another.
- Payment Verification – Verify changes in vendor payment location by adding two-factor authentication such as having a secondary sign off by company personnel.
- Confirmation Requests – Develop a policy to require phone verification as a two-factor authentication by using previously known phone numbers as opposed to phone numbers mentioned in the fraud email.
- Careful Scrutiny – Examine each email request for transfer of funds to determine if the requests are out of the ordinary.
- Employee Security Awareness Campaign – Implementing effective security awareness training for your employees is the best defense against a BEC attack. This empowers them to identify fraudulent emails from genuine ones.
Enterprise security is essential, and a compromised email system can seriously damage the company’s reputation, bottom line, and legitimate business interests. Safeguarding a company’s finances and privacy will ensure business longevity.
This article was written by Prajna Priyadarshini, Cybersecurity Analyst at Idenhaus Consulting.
Idenhaus is honored to be featured in the Top 10 Identity Governance and Administration Consulting/Service Companies of 2019.
By going to work quickly to solve the most challenging cybersecurity and identity management problems, Idenhaus takes the pain out of securing corporate information and assets for companies that aspire to maximize their potential in this digital age. Click here to contact us