Business Email Compromise (BEC) Scams
A Business Email Compromise, or (BEC) for short, is a type of attack that targets company email. A hacker gains control of a business email and uses that access to request money or data.
The most recent data we have available from April to May shows a 200% rise in BEC scams, and the trend continues to go up. These types of hacking events are on the rise because they result in much higher amounts of money than a normal phishing attack. On average a BEC attack results in 100x greater profit to the criminal than a normal malware attack.
The FBI outlines five types of BEC attacks.
Invoice Scams: An invoice scam could originate with your company, or a vendor you work with. The criminal gains access to a professional email account and uses that access to send an invoice. Sometimes the invoice looks different than usual, but not always. Jack talks about an invoice scam we saw in the Miami Valley where the criminal simply changed the routing number, and let the business send the wire transfer as usual. Watch Jack’s video here.
Account Compromise: Criminals gain access to an executive’s email account and use the address book to request money from business contacts. Once criminals have access to executive email, they will watch traffic as well as read email history. Criminals can hang around in a compromised email for weeks looking for the best way to steal money.
CEO Fraud: Attackers pose as company CEO or other upper level executive, and email employees in the finance department instructing them to transfer funds to an outside account. This can be done by actually gaining access to a CEO’s email, or by using a spoofed email account. Many employees would be hesitant to question a request from the CEO.
Legal Impersonation: Criminals pose as a law firm representing the company with confidential information. This scam is done over the phone, or email, and will typically fall at the end of the workday or week. The criminals in this scam rely on urgency, and confidentiality.
Data Theft: This tactic normally targets Human Resources departments for confidential data instead of money. Criminals will pose as other members of the company and ask for employee information or database access.
All of these methods rely heavily on quality research, and targeted social engineering. These are not blanket phishing emails sent to thousands of email addresses. The criminals know exactly who they are impersonating. They gain access to a business email account through any number of tactics like password reuse, a separate phishing attack, malware, or missing security patches. Once they gain access, they read emails and form a plan for exploitation. Criminals can spend weeks inside the compromised email developing a method of best attack. This is a long, well researched process.
Employee education is the key to prevention, especially in Finance and HR departments. Open communication as well as quality IT Security is the best way to prevent these kinds of attacks. Employees should be encouraged to confirm requests for money, especially if they are out of the ordinary. The criminals first have to gain access to the business email in order to develop this kind of attack. A high quality layered security approach is the best defense against a criminal gaining access to a business email in the first place.
Quanexus IT Support Services for Dayton and Cincinnati
Request your free network assessment today. There is no hassle, or obligation.
If you would like more information, contact us here or call 937.885.7272.
Follow us on Facebook, Twitter and LinkedIn and stay up to date on by subscribing to our email list.
