BEC scams prey on employees' best intentions.
Since 2013, a new type of cybersecurity scam has been targeting businesses that perform money transfers. BEC, also known as Business Email Compromise, uses phishing and social engineering techniques to strategically steal money from a company. The theft usually occurs through manipulation of an employee via email. BEC has cost over 14,000 U.S. businesses almost a billion dollars in losses, and the FBI has reported that BEC fraudsters have tricked victims in all 50 U.S. states and in 100 countries1. Fortunately, there are ways for a company to defend against BEC, and it starts with education and awareness.
What is a BEC Attack
In a BEC attack, a thief poses as a high-level executive or employee to instruct others to transfer money to a controlled account. The thief then withdraws the funds. When a high-level executive’s email is compromised, it is frequently referred to as CEO compromise. In that scenario, the fraudster poses as the CEO and emails an employee that typically handles transfers. The email includes urgent instructions for wiring an amount of money to a specified account. If an employee’s email is compromised, the fraudster will often use their contact list to instruct customers to send payments to an account. In the majority of BEC scams, once the fraud is discovered it is too late for the funds to be recovered.
How It Works
BEC fraudsters impersonate CEOs and employees in a few different ways. In one form, they use phishing techniques to gain access to the target’s email account. The employee might receive an email that contains a malicious link or attachment, which infects their computer with malware when clicked. The fraudster can then take control of the target’s computer or gain additional proprietary information. They can also use the target’s email account to send emails directly from their address.
Sometimes, instead of breaking into an email account, a fraudster will mimic the target’s email address. They may set up a domain that is similar to the company’s web address: for instance, .co instead of .com. This allows them to create an email address that is nearly identical to that of the target. The fraudster can then pose as the CEO or employee in order to send fraudulent instructions.
To ensure their emails are convincing and effective, fraudsters often study their targets and the company. They analyze email history, corporate website data, contact lists and social media accounts to understand company processes, roles and the characteristics of their target. In CEO compromise, this can also give them a sense of the CEO’s travel schedule, and BEC attacks are often timed for when they will be out of the office. In that case, the employee is unable to verify the request with the actual CEO. Through their reconnaissance, fraudsters are also able to prey upon new employees who are not trained or experienced with transfer requests for the organization; lack of controls around money transfer requests received via email or phone, and insufficient authentication processes for initial requests.
How to Spot It
Understanding and anticipating this growing threat can help prevent significant losses. As the threat tactics continue to evolve, common BEC characteristics to be aware of may include:
- Use of similar domain names
- Grammatical errors
- Vague details around what the funds will be used for
- A sense of urgency around a request
- References to a tragic outcome if funds are not received within a certain timeframe
- A direct request for confirmation when the transfer is complete
- Appeals for secrecy or confidentiality
If you suspect you have received a BEC email follow your defined response process. If your organization does not have one you should alert your manager.
Ways to Mitigate BEC Attacks
A combination of process improvement, employee training and security mitigations can help decrease the risk of becoming a target. The following controls should be considered for protecting your organization from a BEC attack:
- Train your employees on authentication processes for approving transfer requests.
- Never authorize or initiate wire transfers based on an email request.
- Call the person directly to confirm a request. Do not call any contact information in the email.
- Educate employees and train them to identify scams.
- Verify changes to vendors’ payment location with two-factor authentication.
- Avoid posting financial and personnel information to social media and corporate websites.
- Register all internet domains that are nearly identical to your company’s domain.
- Create spam detection rules that flag close variations on the corporate domain.
- Conduct social engineering testing, including by phone and email, to test employees’ awareness of security threats.
BEC attacks are targeted, strategic and convincing, but they are not foolproof. A discerning eye and quick phone call can be all it takes to stop a BEC scam. Incorporating this emerging threat to your organization’s training on security threats can help spread awareness, advocate best practices and improve precautions against cyber theft.
Source: Federal Bureau of Investigation, Public Service Announcement I-061416-PSA, June 14, 2016, https://www.ic3.gov/media/2016/160614.aspx