Business Email Compromise (BEC) is also known as Email Account Compromise (EAC) which has caused financial losses in the billions of dollars. It is a type of fraud in which organizations are tricked into wire transfer or sending sensitive information to a third party who is legitimately an external supplier from overseas. Southern Oregon University lost $1.9 million in a business email compromise scheme. The money was to pay a contractor on the university’s McNeal Pavilion and Student Recreation Center. Scammers pretended to be a contractor and tricked an employee into wiring the funds to their account through an email.
The FBI suggests that losses due to ransomware averaged out at around $4,400 per incident and totaled just shy of $9 million in the U.S across 2019. In contrast, losses due to BEC were around 17 times higher, at $75,000 per incident, and amounted to a total financial loss north of $1.7 billion for the same period.
Cyber criminals carry out Business Email Compromise (BEC) in three ways which are spoof an email account, spearphishing email, and by using malware.
- Spoof an email account: The contractor case is an example of spoofing an email account. Scammers using legitimate addresses to fool victims for gaining financial benefits or to access any sensitive data by using a spoofing tool.
- Spearphising email: This type of email is hard to detect as these messages look like they’re from a trusted sender in order to reveal sensitive information of the company.
- Using Malware: Cyber criminals are using malware to gain access to legitimate email threads about billing and invoices. By using malware, criminals are also able to get access to a victim’s data including passwords and financial account information.
Business Email Compromise Timeline shows four different steps how the cyber criminals plan and implement the attacks. First, they develop a profile of the company and its executives by exploiting information available online and identify a target. After identifying a target, they start attacking the victim company by using spear phishing or spoofing email accounts, which may take a few days or weeks. The third step is when the victim is convinced and gets tricked by the cyber criminals to wire funds to their accounts or to share sensitive information to them via email. The fourth step is when all the plans of the cyber criminals work and get the wire transferred from the victim.
The three vectors or factors that cyber criminals use to attacks are email, people and wire transferred. You can defend against BEC in many ways:
- Make sure to confirm first by calling the manager via phone through the legitimate company phone number or any upper level of the vendor, and then only confirm the wire transfer
- Enable Multi-factor Authentication (2FA and MFA), it prevents the majority of account takeovers attempts.
- Don’t click on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company’s phone number on your own (don’t use the one a potential scammer is providing), and call the company to ask if the request is legitimate (fbi.gov).
Worried About Getting Compromised?