Business Email Compromise (BEC)

One of the most sneaky and costly cyberattacks is CEO Fraud, also known as Business Email Compromise (BEC). Either through Spearphishing Attacks, malware, or by gaining access to your cloud-based business email accounts, scammers collect data to obtain essential information such as who you pay and how.

With this information in hand, they attempt to trick your company into wiring money to an account they set up, which cannot be traced. Exploitations like these have been around for more than five years, but BEC activity has doubled in the past year. 

This is how they do it:

  1. Scammers pick a target. They search through the directories of social media websites such as LinkedIn or they go to the company’s website and look for the names of people who work there. They are especially looking for executives who have authorization to transfer money. It is not hard for them to find most of the company’s corporate officers and personnel through these channels.
    1. Scammers groom the target(s) they pick. They send emails to the target or call them on the phone to invite him/her to begin a correspondence with them. This is called spoofing. If the target responds, the scammers can view his/her email address and signature.
    2. The scammers then may set up fake email addresses and URLs by adding an extra character to make them look similar to the target’s at a glance.
    3. Other times they may just copy the name and attach another email address to it. Since some email applications only show the name, the false address behind it can be hidden.
    4. Sometimes scammers create a full email server that looks like the target’s server with a change of one character. E.g., mary.smith@companyllc.com vs. mary.smith@companylllc.com. If the coworkers at the target company just glance at this email address (as we all usually do), they most likely will miss the extra l.
  2. Once the scammers engage the target in a fictitious company project or transaction, they give instructions to wire the money to their account. Other times they act as a vendor giving new wiring instructions with the scammers account information. They might also impersonate the CEO and give instruction to the CFO to wire money to an account. The target believes they are working with a partner company or a supervisor who is giving them these instructions.
  3. The target wires the money to the untraceable account and the company never sees it again.

BEC scams may seem unlikely, but it actually happened to the Puerto Rican government which lost $2.6M and to a Tech Manufacturing company which lost $47M.

Puerto Rico government loses $2.6M in phishing scam

Ubiquiti Networks Says It Was Victim of $47 Million Cyber Scam

Between January 2014 and October 2019, the Internet Crime Complaint Center received complaints totaling more than $2.1 Billion in actual losses from BEC Scams.

FBI Public Service Announcement on April 6, 2020

Every one of your employees should be on the alert for spoofed emails. One of the most effective practices to avoid BEC scams is to train your workforce to voice-verify before transferring funds. If there are any account changes, especially new place-to-route payments, they should be approved verbally by one or two people up the corporate chain and by one or two people at the receiving company.

Another way to fight BEC is to use Multifactor Authentication (MFA) to protect your email accounts. Weak passwords are chinks in your company’s cyber armor.

Learn how MFA works.

Read the full article on email scams on the FBI’s webpage: Business Email Compromise on the Rise