What Is A Business Email Compromise?
Business Email Compromise (BEC) is a type of scam targeting all types of companies via email and is considered a form of targeted phishing or spear phishing attacks. Publicly documented email accounts of executives, high-level employees related to finance, or employees involved with wire transfer payments are often spoofed or compromised with keyloggers or phishing attacks to perform fraudulent transfers. These have resulted in hundreds of thousands of dollars in losses.
In 2016 alone, BEC attacks totaled an average of US $140,000 in losses for companies globally.
This type of scam has become increasingly common in recent years, as hackers have become more adept at spoofing email addresses and crafting convincing messages. Business compromise email scams often target financial institutions or businesses that regularly send large sums of money via wire transfer.
However, any organization can be targeted, and the damages caused by these scams can be significant. In order to protect your business, its important to educate your employees about the dangers of Business Email Compromise scams and implement strict security measures to prevent external emails from being spoofed.
Types of Business Compromise Email Scams
Some of the sample email messages have subjects containing words such as: request, payment, transfer, and urgent. There are five types of BEC scams:
ACCOUNT COMPROMISE
An executive or employee’s email account is hacked and used to request invoice payments to vendors listed in their email contacts. Payments are then sent to fraudulent bank accounts.
ATTORNEY IMPERSONATION
Attackers pretend to be a lawyer or someone from the law firm supposedly in charge of crucial and confidential matters. Often these bogus requests are done by email or phone and at the end of the business day.
BOGUS INVOICE
Companies with foreign suppliers are often targeted with this tactic, wherein attackers pretend to be the suppliers requesting fund transfers for payments that actually go to an account owned by fraudsters.
CEO FRAUD
Attackers pose as the company CEO or another executive and send an email to employees in finance requesting them to transfer money to the account the fraudster controls.
DATA THEFT
Employees under HR and bookkeeping are targeted to obtain personally identifiable information (PII) or tax statements of employees and executives. Such data can be used for future attacks.
Because these scams do not have any malicious links or attachments, they can evade traditional protections. Employee training and awareness can help enterprises spot this type of scam.
Formerly known as Man-in-the-Email scams, Business Email Compromise (BEC) attackers rely heavily on social engineering tactics to trick unsuspecting employees and executives. They impersonate the CEO or any executive authorized to do wire transfers. In addition, fraudsters also carefully research and closely monitor their potential target victims and their organizations.
At Castle Technology Partners, we believe in technology that works for you, not against you. We offer Business Email Compromise (BEC) training and cybersecurity training. Reach out to us on our website to request a consultation or call (251) 313-0411 to get started.
