Business Email Compromise: A Rising Threat
Labeled as a $26 billion scam by the FBI in 2019, Business Email Compromise, a.k.a. BEC, is one of the most pervasive cybersecurity threats standing in the face of companies of all sizes, belonging to all industries. And interestingly, it’s not just targeting the naive employee; its victims include well-trained executives as well.Let’s take a deeper look into what BEC encompasses, and how it has managed to plague the cybersecurity landscape for the past several years.
What is BEC?
Business Email Compromise, Email Account Compromise or Man-in-the-Email scams are all different names of the same fraudulent scheme that involves unauthorized cybercriminals wiring out funds to their own accounts. Such attacks may use multiple techniques such as computer intrusion, phishing and social engineering to first impersonate a high-level, authorized executive or another stakeholder to trick employees and departments into conducting fraudulent business transactions.
Such attacks require intricate planning and careful monitoring of the victims and organizations. In a number of cases, companies working with out-of-state suppliers are the target. An attacker may pretend to be a representative from a foreign manufacturer or supplier and request a payment to a fraudulent account. In other cases, attackers may impersonate a CEO or a high-level executive and request the finance department to transfer money to their accounts. Other than money, attackers can also target HR to gather employee data that can be used for carrying out further attacks in the future.
What makes BEC attacks so hard to contain is the fact that they can hardly be detected through traditional security measures. They do not contain malicious attachments or links that raise certain red flags. This is the reason why such attacks have been on the rise despite increasing security awareness. However, the increase in the rate of BEC, as indicated by the stats, may also be due to increased reporting as compared to the past years.
Defending Against BEC Scams
Defending against BEC scams could be tricky because they can easily surpass traditional security measures. One of the most effective solutions against such attacks is multi-factor authentication and secondary verification channels for any changes in the account details. Minor differences in spellings and subtle changes in the domain name almost certainly indicate that the source cannot be trusted. CIOs and CTOs must ensure that the employees never share their account details and login credentials through emails or in response to any emails. Software updates and security patches are critical for all organizations regardless of their size.
What Now? Well…
The only way to ensure that employees do not fall victim to such scams is proper training and employee security awareness workshops. Security teams must also implement strict processes and multiple checks to establish the authenticity of foreign vendors before carrying out any transactions or making changes to the payment info. Integrating LKMethod solutions such as Machine Learning and Artificial Intelligence that can profile user behaviors internally. Alerting IT teams of user risk profiles, tracking what potential malicious activity may be at rise. Confirming directly through a phone call or in-person meetings is a great way of avoiding fraudulent transactions via BEC.
Finally, the FBI recommends that once a BEC scam is detected, the involved financial provider must be contacted right away to block or recall fund transfers, if possible. Additionally, filing a complaint, regardless of the amount stolen, is imperative for stopping the attackers or cybercriminals from planning and carrying out further attacks with a greater return.