Business Email Compromise (BEC) is a type of scam targeting companies who conduct wire transfers and have suppliers abroad. Corporate or publicly available email accounts of executives or high-level employees related to finance or involved with wire transfer payments are either spoofed or compromised through keyloggers or phishing attacks to do fraudulent transfers, resulting in hundreds of thousands of dollars in losses. In 2016, BEC attacks led to an average of US$140,000 in losses for companies globally.
Formerly dubbed as Man-in-the-Email scams, BEC attackers rely heavily on social engineering tactics to trick unsuspecting employees and executives. Often, they impersonate CEO or any executive authorized to do wire transfers. In addition, fraudsters also carefully research and closely monitor their potential target victims and their organizations.
A BEC attack is a sophisticated scam that targets businesses and individuals who perform wire transfer payments.Unlike regular email scams that are distributed to thousands or millions of users, BEC attacks are carefully planned and highly targeted.
Types of BEC Attack :
The Bogus Invoice Scheme
Companies with foreign suppliers are often targeted with this tactic, wherein attackers pretend to be the suppliers requesting fund transfers for payments to an account owned by fraudsters.
CEO Fraud
Attackers pose as the company CEO or any executive and send an email to employees in finance, requesting them to transfer money to the account they control.
Account Compromise
An executive or employee’s email account is hacked and used to request invoice payments to vendors listed in their email contacts. Payments are then sent to fraudulent bank accounts.
Attorney Impersonation
Attackers pretend to be a lawyer or someone from the law firm supposedly in charge of crucial and confidential matters. Normally, such bogus requests are done through email or phone, and during the end of the business day.
Data Theft
Employees under HR and bookkeeping are targeted to obtain personally identifiable information (PII) or tax statements of employees and executives. Such data can be used for future attacks.
How to prevent business email compromise attacks :
Training
A company’s employees are the first and most important line of defense against BEC attacks. Training staff to recognize the signs of a scam can go a long way toward reducing the risk of compromise and preventing fraud.
While BEC attacks tend to focus on the C-suite and other higher-ups with financial authority, the initial point of entry can happen at any level of a company. As such, it’s important that staff receive regular training on how to identify and respond to BEC attacks.
Prevent attackers from gaining initial access to a corporate email account
To carry out a BEC scam, attackers first need to gain access to a company email account. Preventing this initial point of compromise is critical for stopping BEC attacks.
Here are some common ways attackers use emails to gain access to corporate email accounts:
Domain name spoofing
Commonly used in BEC attacks and other phishing scams, domain name spoofing involves forging the sender’s address so that it appears an email has been sent by someone else. This is surprisingly easy to do, and only requires a working SMTP server and certain mailing software. The attacker may use domain name spoofing to convince an employee to divulge their email login credentials in order to gain access to their email account.
To check for domain name spoofing, view the source code of the email and locate the “reply-to” field. If the reply-to address is different from the sender’s address, the email may be a BEC or phishing scam.
Display name spoofing
Attackers commonly use display name spoofing to impersonate someone within the target company. This can be accomplished by simply registering a free email account and changing the display name to the same name as a trusted business contact, such as a high ranking executive. The attacker hopes that the recipient will look at the display name without checking the email address, and will consequently perform the request, engage in dialogue or open a malicious attachment.
Display name spoofing is immune to verification technologies such as DMARC, DKIM, and SPF (more on those later). The simple solution here is to encourage staff to check the sender’s email address and not rely solely on the display name.
Phishing attacks
Attackers will often use traditional phishing techniques to gain initial access to an email account. As such, staff should be vigilant of emails that create a sense of urgency. Phishing emails are usually worded in a way that hits certain psychological triggers and compels the recipient to take immediate action. According to Security Awareness Training company KnowBe4, the most-clicked phishing general email subject lines in Q2 2019 were:
Password Check Required Immediately
De-activation of [[email]] in Process
Urgent press release to all employees
You Have A New Voicemail
Back Up Your Emails