October 20, 2023
Business email compromise (BEC) is a method cybercriminals use to generate revenue. It’s a social engineering attack that relies on psychological manipulation and deceptive tactics to defraud victims. However, with awareness, training, and the right preventative measures in place, organizations can significantly reduce their risk of falling victim to these costly swindles. Maintaining a skeptical mindset, verifying requests, and prioritizing cybersecurity in business operations are crucial.
Cybercriminals use BEC to ensure that fake email messages are trusted. Once access is gained, criminals study the email account owner’s behavior and impersonate their communications. The end goal is typically unauthorized access to another business email account or defrauding the company, its employees, clients, or partners for monetary gains.
BEC usually begins with cybercriminals compromising legitimate email accounts. By using a trusted email, cybercriminals can bypass technical tricks such as spoofing or fake addresses and dodge automated security controls. These emails often lack familiar signs of fraud, making them appear legitimate to employees.
The cybercriminals closely analyze communication patterns of the person and mimic legitimate communication styles to exploit trusted relationships between service providers, customers, and other business associates.
Types of BEC Attacks
- Credential theft: Employees are tricked into providing credentials to a fake website. Fake phishing sites usually resemble tools used at work, such as DocuSign, Microsoft, or Adobe login prompts. This includes multifactor prompts.
- CEO fraud: Cybercriminals impersonate senior executives, often the CEO, to request financial transfers.
- Fake invoice scheme: Suppliers’ emails are compromised and used to send fake invoices.
- Attorney impersonation: Cybercriminals pretend to be lawyers or legal firms to obtain confidential data.
- Data theft: HR personnel are targeted to extract employee’s personal data.
Factors Contributing to the Success of BEC Attacks
- Social engineering: Cybercriminals use skillful manipulation of human behavior to appear genuine.
- Trust relationships and processes: Unlike other phishing attacks, BEC scams are tailored, using specific knowledge about individuals, businesses, and their processes.
- Sense of urgency and duty: The trust employees have in colleagues to provide good services is manipulated.
- Lack of training: Employees may not be aware of the threat and fail to recognize the signs, especially when the email seems to be from a “real colleague.”
Protecting Your Business from BEC
- Be skeptical and confirm communication requests on all platforms! Verify the legitimacy of suspicious emails or other communications, through direct contact by using a known number.
- Multi-factor authentication (MFA): Implement multiple verification methods before granting access to accounts.
- Advanced email security: Employ email filtering solutions that detect abnormal behavior and quarantine phishing and spoofing emails.
- Regularly monitor accounts: Monitor business email accounts for any irregular or suspicious activity using behavioral email monitoring tools.
- Verification procedures: Establish a multi-person approval process for financial transactions or changes to HR information above a certain dollar threshold.
- Employee training: Regularly educate employees about the dangers of BEC attacks, phishing, and psychological manipulation through social engineering.
- Be cautious with public and personal information: Minimize the availability of your company’s hierarchy and roles online to make it difficult for hackers to craft believable scams. Avoid posting emails, phone numbers and personal details publicly on social media.