In a nutshell, if you haven’t been pacing the office floor, stressing out about BEC attacks, you are either a very smart cookie or simply a little out of touch. Named as one of the FBI's Hot Topics, when it comes to BEC (Business Email Compromise) attacks, it's high time that everyone got on top of their game.
A BEC, or man-in-the-email attacks are a type of phishing heist where a hacker pretends to be an executive and tries to get vendors, partners, employees or clients to hand over cash or private data.
The target of these attacks is usually the CFO or CEO of companies and in comparison, to traditional phishing break-ins, these attacks are highly specific. Research brought out by TrendMicro claims that CFOs are targeted more than any other finance professional and almost 20% of all BEC scams are aimed directly at them, followed by Finance Directors, Finance Managers, Controllers and Accountants.
The FBI are estimating that between 2013-2015, BEC-related losses are well over $3,000,000,000. That's an awful lot of zeros.
Cyber criminals are working hard at researching company details, news and social media to convince their victims of their authenticity, with frightening success.
Not only that, but we know that this problem is truly international. Whilst 31% of BEC are directed against US corporations, Australia closely follows with 27% and the UK stands at 22%. The British Met have stated that BEC cyber-crime is the 3rd most popular type of business scams currently affecting companies.
So, with the threat of these attacks being so great, one would assume that the headlines would be soaked with examples of BEC attacks. Not the case, and we believe that the level of company shame around BEC victimhood are keeping a lot of these stories hidden away in the corporate closet.
The secrecy around how and when these cyber heists are happening is preventing effective movement on countering the next incident. Allowing ourselves to talk about and break down how the BEC scams happens will hopefully avoid multiple future incidents.
With that in mind we have put together a check list of the different forms of BEC Scams.
How to recognize a BEC Attack?
How it all starts: The BEC scam officially kicks off when a cyber-criminal manages to spoof emails. This means the hacker finds a way into the inbox of the executive or emails the executives contacts from a genuine-looking domain.
It then breaks down into four different types of defrauding schemes.
This applies to both CEO and CFO scams and indicates that these decision makers email addresses have been spoofed. Usually an email is then sent to an employee to forward funds to the cyber criminals account.
2. Pretending to be an Attorney
Like we said, these guys are doing their homework. They will find out who your law firm is, who works there and request funds to pay legal bills or settle other legal matters.
3.Employee compromise and bogus invoices.
Employee compromise involves the hacker gaining access to an employee's email account and sending mail shots to customers with a fictional payment issue that can be resolved by sending the payment to a different account, their own.
A variation on this is the Bogus invoice where further up the food chain, a company executive is targeted and upcoming invoices or payments have been identified. The hacker would then typically email the Finance department to have the payment redirected.
4. Data theft
This type of attack happens when a hacker asks for private or sensitive details but doesn’t directly ask for a fund transfer. The end-goal here could obviously be just gaining more data for an eventual cyber robbery but of course, there are many ways to use sensitive details.
Preventing BEC attacks through identification
Apart from a general feeling that the email you have been sent is a little 'off', there are several indicators that a BEC attack is in play.
- Early stage BEC emails normally contain malware so make sure to upgrade your malware detection programs to stop these phishing scams before it even begins.
- The emails themselves may come from suspicious looking domains or simply from domains that the person being impersonated has never used before. Any time you receive an email from an unknown account, contact the sender, preferably through the old email, skype or by phone.
- Cautiously examine any request for fund transfers to decide if this is characteristic of your clients, lawyers or whoever else is requesting payment. It's worth being aware that the majority of spoof emails have a commitment to both the urgency of the money transfer and the high level of confidentiality needed. This is to stop the victim trying to confirm with third parties if the request is real.
To prevent these attacks, use advance malware detection, multi-factor authentication, phone verification for any payment changes or any other changes in email communication. Most importantly educate your staff to spot spoofs, it could save you a fortune.