Since 2013 Business Email Compromise (BEC) has been emerging as one of the most dangerous cyber threats to businesses across the globe. Sophisticated, easy to action, and costly to victims it has all the hallmarks of a scam with burgeoning popularity.
BEC is in many ways the oldest trick in the book, a trick of trust, a form of deception that misleads employees into parting with their businesses money. Marks are often deceived into transferring huge sums to fraudsters masquerading as legitimate executives, partners, and suppliers.
The BEC scam is carried out by initially hacking into business email accounts (or closely mimicking them) and carefully evaluating employee’s interactions, building up a company profile of top-tier executives, foreign partners, and accounting staff. Scammers will take on the identity of members on the corporate ladder to trick targets into sending money.
Formerly known as the “Man-in-the-email” scam, this fraud has cost businesses an estimated $3.1 Billion with a 1300% increase in business email compromise attacks since January 2015 per FBI reports.
Once the scammers have worked their way into a corporate email and researched the company thoroughly, the scam is ready to be put into action. The BEC scam can be broken down into 5 core frauds:
The Bogus Invoice Scam: By monitoring a business’s interactions with a longstanding supplier, scammers can inject themselves into a conversation requesting a change of bank account details (to wire money to an alternate fraudulent account) or can simply request money from the mark. The scam is relatively easy to carry out, once the research has been done; a change of bank account information or money request is common in business
The CEO Fraud: In this version, the fraudsters taken on the identity of top level executives and lawyers who are purporting to handle time-sensitive, highly confidential matters requiring the immediate transfer of money. In times of panic, could you spot the difference between steve.kelley@acompany.com or steve.kelly@acompany.com? Or what if it was sent by the real email address…..?
Account Compromise: an email account of a real employee is hacked and then used to make fraudulent requests for money. This is usually a top-level executive’s email requesting money from the accounts department or sent to partners in a compromised employee’s contact list. Scammed businesses don’t become aware of the scheme until after vendors have checked the status of payment and by then the money is long gone.
Data Theft: This involves role-specific employees (usually HR) being compromised and requesting sensitive information from employees. This information can then be used to attack the business in the future or be used a method of employee identity theft.
Although not as in vogue with the media as Ransomware, BEC attacks are more common, more dangerous and more likely to cost your business money than virtually every cyber threat. Unlike viruses, malware, and ransomware, there isn’t an abundance of software, firewalls and technical support to protect you and it’s often very hard to know if you are being monitored by fraudsters. Many times, the scam is only uncovered once an attack has been attempted, either successfully or unsuccessfully.
If you would like to know more about IT security, and how Aware can protect you from threats online, you can speak to a specialist today or visit our Managed Services to find out more: //www.aware.co.th/it-service-management/
Aware are hosting an IT security event at Le Meridien Hotel, Chiang Mai on September 19th, 2017 – if you would like to attend, please sign up here: //docs.google.com/…/1FAIpQLSfhes5OB9Rf7f3blF…
Digital Marketing Manager at Aware Group: Working his way through the world of technology and Thailand as best as he can. Happy to contribute to other tech publications.