Don’t Let Your Business Get Hooked: Understanding and Preventing Business Email Compromise (BEC)

Imagine this scenario: you receive an email from your CEO instructing you to wire a sum of money to a new vendor. The email looks legitimate, with the CEO's signature and the company's logo. But there's one problem—it's not really from your CEO. You've just been targeted by a BEC scam, and your company's finances could be in jeopardy.

BEC attacks are on the rise, posing a severe threat to businesses of all sizes. These scams are focused, sophisticated, well-planned and effective. They lead to substantial financial losses and reputational damage. In this blog post, we’ll break down what BEC is, how cybercriminals execute these scams, the potential impact on your business, and essential cybersecurity measures you can implement to protect your organization.

What is Business Email Compromise (BEC)?

Business Email Compromise (BEC) is a type of cyberattack in which criminals use email fraud to deceive an organization into making a financial transaction or sharing confidential information. Unlike traditional phishing attacks that cast a wide net, 

BEC attacks are more targeted and often involve detailed research on the victim organization.

Even big players have become victims of this type of attack. For example, in the early days of BEC attacks - between 2013 and 2015 - both Google and Facebook were successfully targeted by a fraudster resulting in around $121 million in losses. This attack involved submitting convincing invoices leading to bank transfers to accounts controlled by the scammer.

No one is off-limits from the attacker’s point of view as evidenced by the 2018 BEC of Save the Children Federation. The charity was conned into transferring $1 million into a criminal’s bank account. It was a well-researched attack since the hacker had convincing information about the charity’s base in Pakistan which was used to legitimize the money transfer.

Examples of BEC Scams:

• CEO Fraud: A scammer impersonates a company executive and sends an email to an employee requesting an urgent wire transfer, or sensitive information be sent to a “vendor” or “partner.”
• Invoice Scams: Fraudsters impersonate a known vendor requesting payment for services using a realistic invoice with different banking information.
• Account Takeover: Cybercriminals gain access to an employee’s email account and use it to send fraudulent emails to contacts, such as vendors or clients, requesting payment or sensitive information.
• Data Theft: Some attacks go after sensitive information instead of money. They may target finance and HR staff to access data about company employees. Such information can be sold on the dark web or used to plan convincing future attacks.
• Attorney Impersonation: This attack starts with attackers gaining access to an email account at a law firm. An employee of one of the firm’s clients is targeted by an email which involves a confidential, time-sensitive transaction.
  

How Do Cybercriminals Carry Out BEC Scams?

BEC scams are meticulously planned and often involve several steps to maximize their chances of success. Here’s a simplified breakdown of how these attacks typically unfold:

1. Reconnaissance: Cybercriminals start by gathering information about the target company. They may research the company’s executives, financial personnel, and even the business’s payment processes through social media, company websites, or other online resources.

2. Email Spoofing or Hacking: The attackers may impersonate an email address using a lookalike domain or exploit security holes in email protocols to spoof a legitimate domain. They may also hack into a real email account within the company.

3. Social Engineering: The criminals craft a convincing, urgent message, even copying the style of the person they’re impersonating. They create a sense of pressure that leads the recipient to act quickly without verifying the request.

4. Execution: The unsuspecting employee follows the fraudulent instructions—be it transferring funds, providing sensitive information, or even changing payroll details.

The Impact of BEC on a Business

The consequences of a BEC attack can be devastating. Here are some of the potential impacts:

Financial Loss: BEC scams have cost businesses billions of dollars worldwide. A recent report for the United States alone indicates that annual losses due to BEC have risen from 1.87 billion in 2020 to 2.94 billion in 2023. The financial impact on small businesses can be especially severe, as they may lack the resources to recover from such a loss.

 

 

Reputational Damage: Falling victim to a BEC attack can damage your business's reputation. Clients and partners may lose trust in your ability to protect their sensitive information, leading to a potential loss of business.

 

 

Operational Disruption: The aftermath of a BEC attack can disrupt business operations as the company investigates the breach, communicates with affected parties, and implements remedial measures.

 

Cybersecurity Measures to Minimize the Threat of BEC

While BEC attacks are sophisticated, they can be prevented with the right cybersecurity measures in place. Here are some of the best ways you can protect your business:

1. Implement Multi-Factor Authentication (MFA): Strengthen your security by requiring users to verify their identity through a second method, such as a mobile app or fingerprint. This reduces the risk of unauthorized access to email accounts.

2. Train Employees on Cybersecurity Awareness: Regular training sessions can help employees recognize the signs of BEC scams, such as unusual email addresses, unexpected requests, or a sense of urgency. Encourage them to verify any suspicious emails directly with the sender before acting.

3. Keep Your Systems and Software Patched: Cybercriminals exploit known software vulnerabilities to gain access to systems. Keeping software patched with the latest security updates greatly reduces your exposure.

4. Regularly Update Email Security Policies: Ensure that your company has up-to-date email security policies that include procedures for verifying financial transactions and handling suspicious emails.

5. Conduct Penetration Tests: Proactively identify vulnerabilities in your email systems and security protocols. Regularly scheduled testing can help you address weaknesses before they can be exploited.

The Big Takeaway

You remember the adage "an ounce of prevention is worth a pound of cure...". This is certainly true when it comes to the threat of BEC. The danger is real and serious, but it’s one that can be mitigated with proactive cybersecurity measures. By understanding how BEC attacks work and implementing strategies like MFA, cybersecurity training, and penetration testing, your business can significantly reduce its risk of falling victim to these costly scams.

Don’t wait for a BEC attack to hit your organization—take action now. Contact allCare IT to discuss how we can help you implement robust cybersecurity measures, conduct thorough penetration tests, and protect your business from being compromised.