Business email compromise is projected to skyrocket as attackers adopt sophisticated techniques to dupe their victims.
Business email compromise (BEC) attacks are projected to exceed $9 billion in 2018. The attacks continue to become more sophisticated and fleece more money from U.S. businesses.
How it works
There has been an increase of computer intrusions linked to BEC scams, involving fraudsters impersonating high level executives, sending phishing emails from seemingly legitimate sources, and requesting wire transfers to alternate, fraudulent accounts. In some cases these methods ultimately lead to successful intrusion and unfettered access to their victims’ credentials.
The Internet Crime Complaint Center (IC3) puts BEC attacks in five categories: Bogus Invoice Schemes, CEO Fraud, Account Compromise, Attorney Impersonation, and Data
Theft. More information is available from the Federal Bureau of Investigation (FBI) IC3.
The combination of simplicity and effectiveness have ensured that BEC will continue to be one of the most popular attacks according to a January 18, 2018 Trend Micro report “Delving into the World of Business Email Compromise (BEC).” Researchers analyzed BEC as a cybercriminal operation from January through September 2017, dissecting tools and strategies commonly used in these attacks to predict activity for this year.
The Internet Crime Complaint Center (IC3) puts BEC attacks in five categories: Bogus Invoice Schemes, CEO Fraud, Account Compromise, Attorney Impersonation, and Data Theft. In this case, researchers split them in two: Credential-grabbing and Email-only. Attackers must be proficient in at least one of these methods for the scheme to work, researchers report.
Defending against the scam
Businesses are advised to stay vigilant and educate employees on how to prevent being victimized by BEC scams and other similar attacks. It’s important to know that cybercriminals do not care about your company’s size—the more victims, the better. Additionally, cybercriminals need not to be highly technical as they can find tools and services that cater to all levels of technical expertise in the cybercriminal underground. Here are some tips on how to avoid these scams:
• Employee awareness and education is the first step. Organizations should train employees how to spot phishing attacks.
• Email is often used to perform BEC attacks, relying on deception and social engineering to trick employees into downloading files, visiting websites or providing information. End users should know what to look out for when it comes to email—as even the most convincing BEC attacks typically have telltale signs that can be used to distinguish a legitimate email from a malicious one.
• Verify the legitimacy of fund transfer requests, especially those that involve large amounts. Just because the request seemingly comes from an executive, it does not mean that it is legitimate. If possible, confirm the request directly with the person who sent the request if there is something unusual or suspicious about the request.
• For vendors and suppliers, organizations should verify payment requests and invoices before transferring funds. If the vendor or supplier suddenly provides a different payment location, consider it a red flag and verify the change via a secondary sign-off by company personnel.
• Any request should be verified and challenged. If the request comes in via email, making a phone call or face-to-face discussion with the person making the request to ensure its validity will help mitigate BEC attacks. Use known good telephone numbers, not those in the email.
• Building a culture of security within the organization from top to bottom.
What to do
If you suspect that you have been a victim of a BEC email, report the incident to your company and financial institution immediately. Also, consider filing a complaint with the IC3 no matter how much the amount.