A single instance of a successful cyberattack can significantly affect a company. Especially for fledgling start-ups, lapses in cybersecurity can mean the demise of the entire operation. In 2019, the cost of cybercrime amounted to a whopping $3.5 billion. This figure rose substantially as COVID-19 ravaged the whole globe in 2020.
Over the last few years, Business Email Compromise, otherwise known as BEC attacks, has become a major concern for corporations around the globe. Since 2015, instances of BEC schemes have been rising at a rate of 2370% every year. The first step in protecting your digital assets from malicious actors is learning the types of cyberattacks and corporate cybersecurity risks you should be prepared for. This article explores Business Email Compromise attacks, including the different types, examples of successful BEC incidents, and the best practices to safeguard your operation.
What is a BEC or Business Email Compromise Attack?
Business Email Compromise attacks, or BEC attacks, primarily use social engineering and manipulation tactics to trick business owners and employees into surrendering sensitive information or transferring funds into a malicious actor’s personal bank account.
This type of attack occurs three-fold. At the onset, hackers will initiate an email conversation with a key person from inside the corporation. Usually, the exchange would have something to do with an urgent financial concern with a third-party contractor. Once they establish trust, the hackers then encourage the targeted employee into actions that compromise the operation.
Business Email Compromise attacks are similar to phishing email incidents in a way that it primarily uses manipulation. Nevertheless, BEC incidents are often one of a kind. This cybercrime requires a level of research and expertise. Often, it doesn’t contain any malicious links or attachments. The primary goal is to trick the receiver of the email into thinking that the message is legitimate. Moreover, hackers are willing to play the long game with correspondence sometimes spanning several months.
What are the Different Types of Business Email Compromise Attacks?
The FBI has identified five common types of BEC attacks companies should be wary of. Amongst the most widespread threats are:
- Bogus Invoicing
This form of BEC threat often targets companies that correspond with foreign suppliers. In this ruse, hackers pretend to be third-party suppliers from overseas. They send invoicing requests that once fulfilled, the funds go directly to the fraudster’s bank accounts.
- C-Level Fraud
Similar to bogus invoicing scams, CEO fraud involves hackers pretending to be high-level executives from a partner company. The email intends to extort funds from the target operation. Often, the finance department is the target of these fraudsters. They use terms such as to request and urgent in order to hasten the process and to fly under the radar.
- Compromised Accounts
This type of BEC incident uses some level of tech know-how to gain access to an executive’s legitimate email account. Once they have control of the email, the hackers then request payment invoices to the third-party contractors listed in the account’s contact list.
- Legal Fraud
In this case, attackers pretend to be legal representatives in charge of the company’s internal legal proceedings. The goal of this scam is to retrieve information that threats can use against the business at a later date. Usually, these fake requests come in towards the end of the day, so employees do not question their decision to send sensitive information.
- Data Theft
Similar to legal fraud scams, data theft schemes are long games. They target employees in the HR department to obtain sensitive information like tax statements. The data they procure would be used for future attacks.
Examples of BEC Attacks
Over the last few years, there have been high-profile BEC attacks on the front page of several new publications. In 2020, instances of Business Email Compromise threats centered on the COVID-19 pandemic reached an all-time high. At the onset of the spread of the virus, plenty of malicious actors took advantage of the uncertainty and misinformation about the pandemic. One unnamed company fell victim to hackers who pretended to be a supplier requesting payments on a new account created due to the Coronavirus outbreak.
It seems like no company is safe from BEC attacks, even those in the non-profit sector. In the middle of 2021, Treasure Island, a San Francisco-based charity focusing on homelessness, struggled after falling for a BEC scam. The non-profit lost a whopping $625,000 after hackers gained access and manipulated a legitimate invoice used by Treasure Island. Unfortunately, the non-profit didn’t have cybercrime insurance to cover their losses.
Preventing BEC Attacks
Again, BEC attacks can be difficult to detect because they often do not contain code that might alert antivirus software. When it comes to BEC threats, prevention is better than cure. Below are three simple ways to safeguard your operation from this type of attack:
- Be Aware of Common BEC Incidents
Knowing the most common ways hackers employ the BEC scam is your best bet in preventing and mitigating the damage. It can be difficult to pinpoint these attacks since they are one of a kind. However, they share similar attributes, including a false sense of urgency and an unprofessional email and domain.
- Train your Staff
As with most cybersecurity risks, your staff can be your biggest ally or your most significant threat. Providing them with enough information to spot BEC scams can help prevent your company from succumbing to them.
- Employ the Use of VPNs and Multi-factor Authentication
At their core, BEC threats aren’t the most technically sophisticated. Often, multi-factor authentication and VPNs are enough to prevent hackers from gaining access to legitimate accounts.
Business Email Compromise attacks are generally unknown to individuals outside of the cybersecurity industry. However, it is as much a threat as well-known forms of cybercrime. An added layer of protection is crucial to protecting your digital assets from this specific form of attack.
We at SecureBrain specialize in providing supplementary cybersecurity measures for businesses of all scales. Through our tried-and-tested products, you can ensure that BEC attacks wouldn’t fly under the radar. Learn more about what we have to offer, and contact us today.