Updated: Aug 17, 2021
Business Email Compromise (BEC) is a type of cyber attack that uses an impersonated email address - usually a business email address - to trick users into falling victim to the scam. BEC scams do not rely on malicious attachments or links, they instead make absolute use of social engineering to achieve their aim. Social engineering attacks involve pretending to be a trusted person so your victims trust you and do as they are told.
Perpetrators of this scam target people of influence within an organization in order to get their hands on sensitive information such as employee databases and payroll information. Targets for the impersonation are therefore mostly CEOs/CTOs/CFOs and HR Managers.
HOW IT WORKS
BEC is commonly used for such social engineering attacks as:
a. Whaling - Whaling is a highly targeted phishing attack aimed at senior executives of an organization. The attackers send out communications while masquerading as a legitimate email. It is designed to encourage victims to perform an action such as initiating a wire transfer of funds.
b. Wire Transfer Fraud - Signs of a wire transfer fraud include being unexpectedly asked to wire some money for payment, being sent a check in return for an exchange payment, or being asked to wire money to a recipient in another country.
c. CEO Fraud - This is when cyber criminals send savvy emails impersonating an organization's CEO ask employees - typically in HR or accounting - to help them out by sending a wire transfer or some sensitive employee details.
The scam is made easier using:
a. Email Spoofing - Is when an attacker modifies an email’s envelope and header. The receiving mail server thinks the email came from a corporate domain, but the recipient’s email client displays incorrect sender information. So the sender's name and email address is at odds. See instance in the image below:
b. Email Impersonation - Happens when an attacker sets up an email account that looks like a business email account. Look at image below:
c. Email Account Takeover - Here, the attacker gains access to a corporate email account either by hacking or via stolen account credentials.Using this access, they get to gather information about the user’s contacts, email writing style, and other personal data, then use the hacked account to send out phishing emails.
RECOGNIZING AND PREVENTING BEC SCAMS
1. Be wary when high-level executives start requesting unusual information. Think about whether or not it is usual for your CEO to want to review tax information for individual employees. Does he regularly get locked out of his account and require access or a new password?
2. Don't just trust the header information in an email. Cyber criminals criminals tend to spoof both the sender name and address, so always verify to be sure everything is as it should be. If you have any suspicions, contact the supposed sender via an alternative channel.
3. Always check for spelling mistakes. Grammatical and punctuation errors as well as unusual use of language and date/time formats are tell-tale signs of phishing emails.
4. Urgent requests should give you pause. Take your time and verify the legitimacy of each request from the higher ups.
5. All requests that by-pass normal communication channels should be suspected. Most organizations have channels through which payments must be processed, no matter how urgent they are. When these channels are bypassed and an email comes in seemingly from an executive requesting, for example, that an urgent wire transfer be made ASAP, the recipient should be immediately suspicious.
6. It is always a red flag when the Email Domain and “Reply To” address do not match sender’s address.
7. Ensure staff are equipped to spot and respond appropriately to cyber attacks through regular Phishing and Social Engineering trainings.
8. Use an email filtering service to block out unwanted or potentially malicious emails. Email filtering takes care of both inbound and outbound mail traffic.
Combating BEC scams takes more than just adhering to one or a few of the measures listed above; it requires a combination of every and all necessary measures to ensure successful implementation. CYCO has partnered with KnowBe4 to carry out top-notch security training for businesses of all sizes, contact us today for a quote!