Business Email Compromise (BEC) is a fast-growing cybersecurity threat faced by all businesses, especially small and medium-sized businesses (SMBs). The FBI's Internet Crime Complaint Center (IC3) said in its 2020 Internet Crime Report that it handled 19,369 business email compromise (BEC) complaints representing more than €1.8 billion in losses, adjusted in the United States. United for that year. About the Author Christopher Budd is the Senior Global Director of Threat Communications at Avast. BEC attacks primarily use email, but can be carried out via SMS messages, voicemail messages, and even phone calls. BEC attacks are notable because they rely heavily on so-called "social engineering" techniques, which means they use trickery and deception against people. BEC attacks can be very effective and anyone can fall victim to them, regardless of wealth or sophistication. In February 2020, Barbara Corcoran, the American businesswoman, investor, and judge on the business reality show "Shark Tank," nearly lost almost €400,000 in a BEC scam. Fortunately, quick action got his money back. But FBI statistics show that not everyone is so lucky. Because BEC attacks rely heavily on social engineering, traditional security software doesn't always protect against them. This means that you and your employees play an important role in protecting against them, and why it's important to understand what BEC attacks are and how they work.
How BEC Attacks Work
While there are many ways that BEC attacks can play out, they all boil down to one simple formula. An attacker will try to convince an employee to send money to the attackers by posing as someone they trust. Forwards will often try to stack the odds in two ways. First, they try to make their attack believable through whoever they choose to impersonate. Second, they try to create a sense of urgency so that the intended victim is less likely to question the transaction and less likely to go through the proper channels for payments that might detect the scam. Sometimes attackers cleverly combine these two tactics to improve efficiency. For example, one type of BEC attack we've seen involves an employee receiving an urgent message from the CEO or another senior manager telling them they need the employee to pay a past due invoice or receive payments. Gift cards for an urgent business event. a medium. They could be emails or text messages, but the attackers even used spoofed technology to imitate voicemail messages and calls. An executive in 2019 lost €220.000 (approximately $243.000) in an attack like this when the attackers used counterfeit technology to impersonate their CEO. In another type of BEC attack, attackers use fake and compromised email accounts to convince an employee that they are dealing with a legitimate vendor. The attackers can exchange multiple emails with the targeted victim to convince them that they are a real seller and then send them a fake invoice. This is how the attack on Barbara Cocoran unfolded. A third type of BEC attack targets corporate payrolls. In these cases, the attackers pose as employees and try to trick the company's payroll staff into changing the employee's direct deposit information to their own bank account. These attacks are more subtle and take longer, but can be very effective. In almost all cases, the goal of BEC attackers is to obtain money in one of two ways: electronic funds transfer (including cryptocurrency) or gift cards. While the use of gift cards for an attack like this may be surprising, the attackers found it an easy way to transfer and launder money.
How to protect yourself against BEC attacks
BEC attacks are really old-fashioned fraud attacks using today's technology; we've seen this type of scam long before there were emails or voicemail messages. Since these are not technology-based attacks, this means that technology-based solutions will not be as effective against these attacks as they are against, for example, ransomware. A well-crafted BEC email, for example, is hard for security software to distinguish from a legitimate email, especially if it comes from the real but compromised account of someone you trust. This means that protecting against BEC attacks should focus on two things: you and your employees. First, educate yourself and your employees about BEC attacks. You and your employees must learn to be suspicious when an unexpected email arrives from the CEO saying "I need you to get €5,000 in gift cards for a birthday party today, send me the numbers and don't tell anyone," says a long way to prevent such attacks. Second, reinforce the importance of verifying payment requests and following established rules for paying bills, changing direct deposit information, and purchasing and sending gift cards. For example, tell employees that they must call an employee or vendor to request payment. Make sure they know how to use the number you have on file, and verify that the bill or request is legitimate before doing anything else. Emphasize that even if the requests appear to be coming from high-level people in your company, employees should always check. Attackers try to convince targeted victims to keep these attacks secret to increase their chances of success, and they take advantage of employees' reluctance to question those responsible. Make it clear that employees can and should raise issues in situations like this. Ultimately, BEC attacks are successful because the attackers trick their victims into believing their deception. Although BEC attacks use technology, they are really just a modern variation on age-old scams and frauds. And to frustrate them, therefore, it is necessary to adapt to the new ways of operating these old frauds. The good news is that with proper training and education, and by following the proper policies and procedures, you can thwart these attacks. All you need to do is take the time to educate yourself and your employees about these scams, how they work, and the correct way to handle payment requests no matter how they are transmitted.