What is Business Email Compromise (BEC)?
Email fraud involving companies is a rampant and global problem. According to the Federal Bureau of Investigation (FBI), cybercriminals stole $12.5 billion worldwide from businesses between October 2013 and May 2018 by compromising their official email accounts and using them to initiate fraudulent wire transfers.1 The Internet Crime Compliant Center (IC3) and the FBI are asking individuals to be aware of a cunning scam targeting businesses that work with foreign suppliers. Essentially, your company needs to be on high alert and protected from these online cons. MxToolbox is here to help.
What Is Business Email Compromise?
The FBI officially defines business email compromise (BEC) as “a sophisticated scam targeting businesses working with foreign suppliers and businesses that regularly perform wire transfer payments.” Formerly known as the man-in-the-email scams, these schemes compromise official business email accounts to conduct unauthorized fund transfers.
Undeniably, there has been a significant increase of computer intrusions linked to BEC scams in recent years. Specifically, the cons involving fraudsters impersonating high level executives, sending phishing emails from seemingly legitimate sources, and requesting wire transfers to alternate, fraudulent accounts. These methods ultimately lead to successful invasion and unrestricted access to their victims’ credentials. A scary thought for your company, no doubt.
How Do BEC Attacks Work?
BEC scams often begin with an online fraudster compromising a business executive’s email account or any publicly listed email they can get their hands on. This is usually done using keylogger malware or phishing methods—where attackers create a domain similar to the target company—or spoofing email that tricks the target victim into providing account details. Upon monitoring the compromised email account, the cybercriminal will try to determine who initiates wires and who requests them. The scammers often perform a fair amount of research, looking for a company that has had a change in leadership in the C-suite of the finance function, companies where executives are traveling, or by leading an investor conference call. The perpetrators recognize and use these as opportunities to execute the scheme.
BEC scams have five versions:
- Bogus Invoice Scheme/Supplier Swindle: Cybercriminal compromises employee email ► Compromised account used to send notifications to customers ► Payments transferred to cybercriminal’s account ► Cybercriminal receives money
- CEO Fraud: Cybercriminal poses as company executive and emails finance employee ► Finance sends funds to cybercriminal’s account ► Cybercriminal receives money
- Account Compromise: Compromised employee account used to request money ► Recipients transfer payments to cybercriminal’s account ► Cybercriminal receives money
- Attorney Impersonation: Cybercriminal poses as lawyer and emails finance employee ► Finance sends funds to cybercriminal’s account ► Cybercriminal receives money
- Data Theft: Cybercriminal compromises employee email ► Compromised account used to request PII of other employees/executives ► PII sent to cybercriminal’s account ► Cybercriminal receives PII, uses it for further compromise attacks
DMARC – Defending Against BEC Scams
To combat BEC scams from infiltrating your business, DMARC is your friend. The DMARC protocol essentially handles the question: What should happen to messages that fail authentication tests (SPF and DKIM)? Quarantine, reject, or approve? With this helpful tool implemented and correctly configured, your company will have an advantage over BEC attacks. Moreover, your colleagues and employees will be safeguarded against any potential fraudulent BEC threats received in their inboxes.
Aside from achieving DMARC compliance, businesses are advised to stay vigilant and educate staff on how to prevent being victimized by BEC scams and other similar attacks. Cybercriminals don’t discriminate; therefore, they don’t care about your company’s size—the more businesses they scam, the better. Additionally, online fraudsters don’t need to be highly technical as they have access to tools and services that cater to all levels of technical expertise in the cybercriminal underground. Because email is such a vital aspect of business communications, a single compromised account is all it takes to financially damage your company. Here are some tips on how to stay protected and secure:
- Carefully scrutinize all emails. Be wary of irregular emails that are sent from C-suite executives, as they are used to trick employees into acting with urgency. Review emails that request transfer of funds to determine if the requests are irregular.
- Educate and train staff. While employees are a company’s biggest asset, they’re also usually its weakest link when it comes to security. Commit to training them according to the company’s best practices. Remind all that adhering to company policies is one thing, but developing good security habits is another.
- Confirm any changes in vendor payment location by using a secondary sign-off by company personnel.
- Stay updated on your customers’ habits, including the details and reasons behind payments.
- Verify requests for transfer of funds when using phone verification as part of two-factor authentication (use known numbers).
- If you suspect that you have been targeted by a BEC email, immediately report the incident to law enforcement or file a complaint with the IC3.
Conclusion
Unfortunately, cybercriminals are a major threat to your business email. Because they devise malicious social engineering and computer intrusion schemes to fool employees into wiring money, enterprises run a very serious risk of getting scammed via messages. This emerging global risk is known as the business email compromise (BEC), and it has victimized thousands of companies around the world. Thankfully, the DMARC protocol helps secure your company’s email platform and fights to protect against BEC scams. By implementing DMARC and educating employees, the prevalence of online fraudsters and their BEC cons will be minimized. At MxToolbox, our knowledgeable team offers several advantageous tools and services to safeguard your business and increase email deliverability. For the sake of your company, check out our various products.
1Information Security Media Group, Corp. https://www.bankinfosecurity.com/fbi-alert-reported-ceo-fraud-losses-hit-125-billion-a-11206