Scams involving business email compromise were the most expensive cybercrimes in 2021.

Cybercriminals continue to successfully steal and spoof emails to assume the identities of managers, CEOs, and suppliers before requesting what appear to be proper business payments.

While some forms of online crime have decreased recently, business email compromise (BEC) scams have seen an increase in the number of victims they have affected and the overall number of victims they have cost. The 2021 Internet Crime Report, published in March 2022 by the FBI’s Internet Crime Complaint Center (IC3), showed a 7% increase in internet crime from 2020. The FBI discovered that potential losses grew by 64% to $6.9 billion during the same period.

No business, no matter how big or tech-savvy, is immune.

BEC schemes target organizations that engage with international suppliers or conduct wire transfers regularly, whereas EAC threats target individuals who make wire transfer payments. Because of their growing parallels this year, the IC3 started investigating them as a single case.

No corporation is safe from scams that target businesses, including internet titans Google and Facebook, which were duped into sending $100 million to a thief posing as a reliable computer hardware supplier in 2013.

Fortunately, companies may take action to stop BEC fraud. This primer on BEC assaults, how to avoid them, and what to do if your firm has been successfully targeted is intended to assist you in avoiding being victims of them.

What is BEC?

Business email compromise (BEC) is a sort of email cybercrime scam in which an attacker targets a corporation to defraud it. Scams involving business email compromise fall under social engineering, which consists in deceiving a target into thinking and acting in a certain way. BEC schemes involve a fraudster pretending to be someone a target trusts, like a company CEO, to defraud a corporation.

For instance, a hacker engaged in a BEC scam might gain access to the email account of a company official and then send a critical email to the accounting department late on a Friday afternoon. The email can demand that the company’s accountant move money to a different business partner immediately to finish a project on schedule. Although the fraudsters control the provided account, an unwary employee may transfer the funds under the impression that this is a legitimate request.

In an unexpected turn of events, the IC3 reported that it has seen fraudsters use potentially shoddy remote cybersecurity measures to conduct BEC scams through online meeting platforms. In one variant of the assault, a scammer would steal a company executive’s login information for online meetings before asking a specific employee to a video conference. Before giving instructions for a wire transfer, the con artist would say during the meeting that there were problems with the audio and visual connection. When more people began working from home due to the COVID-19 pandemic, business scams did increase.

The FBI Identifies 5 Main Categories of BEC Fraud:

• CEO Fraud: This happens when an attacker poses as the CEO or another executive of a firm and emails someone in the finance department asking for money to be transferred to an account they control.
• Account Compromise: A vendor’s payment requests are sent from a hacked employee’s email account. The attacker’s fake bank accounts are then used to receive payments.
• False Invoice Scheme: Attackers frequently use this strategy against overseas providers. The con artist poses as the provider and asks for money transfers to phony accounts.
• Attorney Impersonation: This occurs when an assailant poses as a lawyer or other legal professional. These kinds of attacks frequently target lower-level employees because they cannot question the request’s legitimacy.
• Data Theft: These offenses frequently target HR staff to steal private or sensitive information on firm employees, such as CEOs and executives. Future assaults like CEO Fraud can subsequently make use of this data.

How do BEC attacks operate?

Phase 1: Targeting Email Lists

• The attackers start by compiling a list of emails they want to target. Common strategies include searching through databases of corporate emails, mining LinkedIn profiles, or even browsing different websites in search of contact details.

PHASE 2: Starting the Attack

• Attackers start sending out bulk emails to launch their BEC attacks. Since attackers will use strategies like spoofing, lookalike websites, and fictitious email addresses, it is challenging to pinpoint malicious intent at this point.

PHASE 3: Social Engineering

• At this point, attackers will pose as corporation employees, such as CEOs or members of the financial departments. Emails requesting immediate responses are prevalent.

PHASE 4: Monetary Gain

• If attackers successfully gain a victim’s trust, this stage is usually when a data breach or financial gain occurs.

BEC SCAMS PREVENTION

Scams using business email compromise can be challenging to combat because they frequently prey on psychological weaknesses rather than technical flaws. Many technological measures used to protect computers and other systems from hackers are ineffective against BEC schemes.

However, being a victim of a BEC scam is not a given. BEC scams can be avoided using several recommended practices to enhance cybersecurity. It only takes a few minutes to put some easy cybersecurity advice into practice to make a difference.

These preventative measures, in particular for BEC frauds, will better safeguard your company:

1. Recognize the threat. The first element of a successful defense is awareness. Learn to recognize typical BEC scenarios and techniques, including emails with a tone of high urgency and executive or vendor imposter communications. Never open a link in an email unless you are sure it will take you to a safe, legitimate website. Always check the domain name of the email sender.
2. Educate your staff. All staff members should receive training on BEC attacks and what to do if they feel they are being targeted. Encourage your team to follow their gut feelings and consider, “Would my CEO tell me to do this?”, “Why isn’t this provider sending an invoice via our portal?”
3. Keep your mailboxes secure. While social engineering is a critical component of BEC schemes, the attacks may begin with a fraudster taking over a target’s email account. Demand that each account have a different, secure password from your staff. By securing your business’ email accounts and devices with measures like two-factor authentication and virtual private networks, you could also stop BEC attacks (VPNs). The FBI additionally suggests turning on notifications for foreign logins.
4. Bolster your IT division. Think about hiring a dedicated cybersecurity expert or providing funding for cybersecurity training for interested IT staff. The finest information security certification programs frequently contain lessons on BEC scams and how to protect businesses from them.
5. Create a contingency plan. Even with all the proper precautions, a corporation could still fall prey to a BEC scam, so you need a plan for such a case. This strategy should outline specific actions, designating who is in charge of alerting the FBI and the financial institution handling your company’s finances.

What Should You Do Now?

It is abundantly evident from the FBI report’s data that business email scams are on the rise. Of course, this does not imply that your business will constantly be attacked. However, as technology advances, it’s feasible that these online offenses may become more expert and convincing, making it more straightforward for organizations to fall victim. However, by putting the correct protocols in place, businesses may at least have a leg up on any fraudsters who might try to target them.

If you already have a response strategy, you can lessen the effects of a successful assault on your company. For more information on preventing and defending against cyberattacks, get in touch with Workplace Connect today.