... Of course not, right? Well, I’m sure the majority – if not all of you – said no. While this may be true, would it surprise you to discover that BEC attacks account for losses that are a massive 64 times worse than ransomware.
Although ransomware tends to dominate the cybercrime headlines, losses attributed to such extortion attempts are dwarfed by business email compromise (BEC) and email account compromise (EAC).
The FBI 2020 cybercrime report shows BEC attacks grew by 37% in 2019 — accounting for 40% of all cybercrime losses over the course of the year - indicating BEC scams have evolved into a predominant cyber threat all businesses face today.
None of these incidents intentionally handed over their businesses money to criminals; instead, they were tricked; tricked by this rapidly expanding scam.
BEC scams rely on executives – usually chief executive officers or chief financial officers – getting tricked via social engineering or phishing into carrying out fake wire transfers in their most rudimentary form. Attackers usually impersonate other high-level executives and business contacts to deceive victims.
According to an International Business Times report, Southern Oregon University lost $1.9 million in a BEC scheme. The money was intended to pay a contractor for his work on the university’s McNeal Pavilion and Student Recreation Centre. Fraudsters posing as the contractor used a fraudulent email account to trick an employee into wiring the funds to their account.
Here are two of the online tools BEC attackers use to target their victims:
Spoofing email accounts and websites: Slight variations on legitimate addresses (email@example.com vs. firstname.lastname@example.org) fool victims into thinking fake accounts are authentic. The criminals then use a spoofing tool to direct email responses to a different account that they control. The victim thinks he is corresponding with his CEO, but that is not the case.
Spear-phishing: Bogus emails believed to be from a trusted sender prompt victims to reveal confidential information to the BEC perpetrators.
1. Poorly crafted emails with spelling and grammar mistakes, including a note indicating the email was sent from a mobile device (e.g. iPhone, iPad, Android, etc.) to convince the recipient the mistakes can be ignored.
2. The wrong or an abbreviated signature line for the supposed sender.
3. The use of full names instead of nicknames and a language structure may not match how the supposed sender normally communicates.
4. That the only way to contact the sender is through email. In some cases, the emails appear to be timed to correspond with times the senior official is out of the office.
5. The transactions are for a new vendor or new contract.
6. Internal warning banners that indicate the email is spam, spoofed, or from an external source.
Craft a policy for identifying and reporting BEC and similar phishing email scams. Make sure to include the following:
1. When receiving unusual financial or sensitive data requests, users should verify the identity and authority of the email sender via standard (non-email) channels.
2. Users should hover to discover, to ensure that the email is going to the correct person. The true recipient of an email can often be verified by hovering the mouse over the address in the email header.
3. Users should reply by forwarding, and not by hitting the “reply” button, which helps to prevent successful spoofing attacks.
4. Users should report suspicious emails to security staff.
5. Train all executive staff as well as employees in the finance and human resource departments to identify potential BEC scam emails and follow the suspicious email policy.
6. Implement filters at your email gateway to filter out emails with known phishing attempt indicators and block suspicious IPs at your firewall.
7. Flag emails from external sources with a warning banner.
8. Report BEC scams. Tax-related suspicious emails should be reported to the relevant tax authority.