Business Email Compromise

What are BEC (Business Email Compromise) Scams?

In a BEC scam, an attacker will send a fraudulent email to an employee of an organization, impersonating someone that they should generally trust. For instance, the criminal can pretend to be a boss, colleague, or vendor and ask the recipient to make some changes to banking details, make a wire transfer, or do something else that would ultimately cause harm to the business.

BEC attacks rely on social engineering techniques to trick people. For this reason, they are not as easy to detect as other online crimes that rely on malicious software and URLs.  Additionally, since BEC attacks are highly targeted, investigating and remediating the attacks is difficult and time-consuming.

Learn more in our blog: What are BEC (Business Email Compromise) Scams?

How do BEC Scams Work

BEC scams can be broken down into 4 key stages. Below, we have mapped out the stages by which an attacker would execute their scam:

1. Picking the right target

Attackers can spend days or weeks canvassing potential targets to identify the right one. They must pick the right person to impersonate to obtain the best results. The reconnaissance covers the entire internet footprint of the target, including social media, messaging platforms, and their geolocation.

2. Setting up the attack

Unlike a mass phishing email, BEC attacks are painstakingly crafted to appear as real as possible. Attackers either use a compromised email of a trusted third-party to try to impersonate a trusted sender with spoofed emails and lookalike domains.

3. Executing the attack

The execution differs from attack to attack. While some attacks use a single email to defraud, many others set up a long chain of correspondence to gain trust. Sometimes, an attacker can even use a Remote Access Trojan (RAT) to download files or malware to infect systems or applications.

4. Covering their tracks

Once the final goal of tricking the intended target is achieved, the attacker will usually receive the fraudulent payment and quickly disperse the money into other accounts to try to cover their tracks and avoid account freezes.

Types of Business Email Compromise Scams

• CEO fraud: Attacker impersonates a CEO and makes requests for personal data or payments to a specific account
• Bogus invoice: Attacker sends a fake invoice from a lookalike domain of partner company or contractor. It requires the attacker to do research on the products and services of a company before sending such emails.
• Account compromise: Attacker compromises internal email accounts of the company employee and makes requests using the internal email address.
• Attorney impersonation: The attacker claims to be the lawyer in charge of confidential issues and claims to be from a law firm.
• Data theft: Human Resources & Accounts department employees are targeted to obtain other employees’ personal information for target enrichment. This can be used in upcoming & more targeted campaigns.

How Can Businesses Protect Themselves from BEC Attacks?

Organizations should leverage multiple forms of defense against BEC attacks to keep up with the growing and evolving landscape. The top five most effective strategies in combating against BEC scams include:

1. Tracking spoofed domain with MX records
2. Leveraging URL sandboxing
3. Using SPF, DKIM signatures, and a DMARC policy
4. Automating detection and takedown of phishing sites
5. Training your team on spotting BEC scams

Learn more about each strategy in our blog: Best Strategies For Stopping Business Email Compromise (BEC) Scams

How Can Individuals Prevent Themselves from Falling for a Business Email Compromise (BEC) Scam?

BEC attacks take advantage of human error as opposed to technological vulnerabilities.  For this reason, individuals should take measures to prevent being tricked into falling for one of these scams.

1. Double check URLs

Whenever you receive a questionable email, double-check the URL to ensure it’s genuine. If you suspect a URL, try to go directly to the site instead of clicking on the site. If you are unsure, consult your IT department or your managed service provider before acting on the content of the email. You should also refrain from opening attachments forwarded to you over email if you suspect the email is not authentic.

2. Don’t share private information through email

Most emails that request log-in information are fraudulent. Scammers try to appear like someone you know from work or your line of business, to try to convince you to share sensitive information they can use to their advantage.

If you receive an email asking you to share login details or transfer funds, call the person that is supposedly sending the email, or have a face-to-face meeting with them to confirm their request before acting on the information.

3. Use two-factor authentication

Multi-factor authentication adds a layer of protection for your accounts and devices, making it more difficult for a fraudster to gain access. For instance, using biometric authentication in addition to passwords makes it difficult for a criminal to gain access to your devices or accounts even if they manage to get the passwords through social engineering.

4. Review your financial accounts regularly

Although reviewing your financial accounts will not necessarily help you prevent fraud, it might help you catch fraud early on. If you see anything odd, make sure to follow up immediately and report to the relevant authorities as soon as possible.

5. Be aware

One of the simple ways organizations can prevent BEC scams is by educating employees/individuals on the steps above.

However, while it is important to educate and implement good email security practices, organizations should also be proactive about taking down potential threats outside their perimeter that might lead to a BEC attack.

See how Bolster can help proactively defend against phishing and BEC attacks on your employees, customers, and partners. Request a demo today.