Business Email Compromise (BEC), also known as whaling and CEO fraud, is an elaborate email scam in which fraudsters use social engineering tactics to prey on businesses and senior company executives to carry out fraud.Each BEC attack focuses on either getting access to a business email account or faking a legitimate account. The motive behind this is usually sending fraudulent emails to employees, executives, or important business partners to take advantage of the victim and hijack your company information to steal large sums of money.
According to the Federal Bureau of Investigations, BEC scams are continuing to grow and evolve. Between December 2016 and May 2018, there was a 136% increase in identified successful attacks. The attacks were recorded in all states of the US and 150 countries in total.
FBI’s annual Internet Crime Report shows that Internet-enabled theft, fraud, and exploitation were responsible for $2.7 billion in financial losses in 2018 and the most financially costly complaints involved business email compromise. Email fraud was the leader in terms of cost with phishing, spear phishing, and gift card scams being the most common forms of email attacks. Additionally, the number of complaints rose to 1.5 million, while 351 thousand of those were in 2018 alone.
When looking at these numbers, it becomes evident that BEC is still on the rise and as an important impact on business and it’s still a very successful email fraud attack, making it one of the most dangerous threats to email security.
Why is Business Email Compromise (BEC) so Dangerous and Successful?
BEC attacks are social engineering attacks, and they are thus designed to rely on the human factor to succeed. That same human factor is identical on any level of the company, but the damage is far more significant on the top - BEC’s often target high executives, preferably CEO’s and CFO’s, or personnel directly involved with finances and economic expenditure. Usually, a BEC scam targets business working with foreign suppliers and/or business that frequently use wire transfer payments. The most common type of attack comes in the form of a fake invoice scam, impersonating a lawyer or an accountant or impersonating a higher ranked employee, namely a CEO or CFO.
For that very reason, the hackers behind BEC attacks work patiently and carefully to develop a very detailed attack that couldn’t be easily detected by even the most vigilant executives.
In essence, people usually have an innate desire to trust in the sender, which is why they will often click or perform an action, even if they don’t check the validity of a request or validate the legitimacy of the sender email.
When truly examining the nature of BEC attacks, it becomes evident that the main reasons why they are still thriving are a combination of two things:
- The increasing sophistication of the attacks themselves and the victims that are targeted - the attackers will investigate which individuals have authority in financial transactions involving large sums of money.
- The nature of human beings to rely on the “normal” behavior of people and corporations - meaning assuming the legitimacy of what they receive, and not being careful enough in validating the source of information (namely, the email header).
How to Protect Against Business Email Compromise BEC Attacks?
- Train your employees about the risks of BEC attacks, and most importantly teach them how to recognize suspicious and malicious emails, such as identifying email addresses and cross-reference them in the company’s database, verify personal information, signatures, and style of communication of executive officers.
- Never reply to suspicious emails and contact immediately your IT department to report this situation.
- Develop contingency plans as response methods to BEC attacks.
- Develop security controls and processes within the company, which include several people who need to authorize important operations like wire transfers and sensitive data handling.
- Conduct assessments of each executives’ digital footprint to make sure no account has been taken over.
- Your company should set up an email gateway to screen incoming emails for keywords traditionally used in fraudulent communications, such as payment, immediate, urgent, sensitive and secret.
A business email compromise is an email attack that is here to stay and, although it seems that BEC scams are difficult to detect, several steps can be given in the right direction, namely by using specialized security technology, such as h an advanced email security software.
Author: Carla Barata
Marketing Manager at AnubisNetworks. Carla possesses an extensive experience in marketing, public relations, social media and events in the IT sector. But most important, she is an evangelist of Email Security solutions at AnubisNetworks. She likes "bringing the good news" and help companies to stay safe against the most recent and advanced cyber threats.