In June, the FBI released stats that showed “business email compromise” (BEC) scams cost businesses $3.1 billion dollars.
Even more troubling, the FBI warned that BEC scams, also known as “CEO fraud” or “Man-in-the-Email” scams, would likely “continue to grow, evolve, and target businesses of all sizes.” The Bureau also mentioned that they’ve seen a 1,300% increase in business email compromise attacks since January 2015.
To help you keep one step ahead of of this multi-billion-dollar threat we put together a quick walkthrough of what business email compromises are, how they work, and how you can protect your organization against them.
What Are Business Email Compromise Attacks?
A BEC is a form of phishing attack where a cyber criminal impersonates an executive (often the CEO), and attempts to get an employee, customer, or vendor to transfer funds or sensitive information to the phisher.
Unlike traditional phishing attacks, which target a large number of individuals across a company, BEC attacks are highly focused. Cyber criminals will scrape compromised email inboxes, study recent company news, and research employees on social media sites in order to make these email attacks look as convincing as possible. This high level of targeting helps these email scams to slip through spam filters and evade email whitelisting campaigns. It can also make it much, much harder for employees to recognize the email is not legitimate.
What Does a BEC Attack Look Like?
BEC attacks usually begin with a cyber criminal successfully phishing an executive to gain access to their inbox, or emailing employees from a lookalike domain that is one or two letters off to trick them into thinking they received an email from an executive at their company (a tactic often referred to as “spoofing” an email).
Once a cyber criminal has gained access to an executive’s email a BEC scam usually takes one of five basic forms:
1) CEO fraud
In this attack, the cyber criminal has successfully hacked or spoofed the CEO’s email address. They then send an email from the “CEO” to an employee with the ability to send wire transfers, and instruct them to send funds to an account that the cyber criminal owns.
These attacks will often include a note that the money is being wired for an emergency and instructions to transfer it as quickly as possible. The sense of urgency is meant to discourage an employee from taking the time to verify the transfer or mentioning it to another employee.
2) Bogus invoice scam
In this scenario, the scammer compromises an executive’s email account, looks for an invoice or bill that is due soon, then contacts finance and tells them to change the payment location for that invoice to a different account that the scammer owns.
3) Attorney impersonation
After gaining access or the ability to impersonate a company’s law firm, the scammer requests a large funds transfer to help settle a legal dispute or pay an overdue bill. Typically, the cyber criminal will use this type of attack to convince targets that the transfer is confidential and time-sensitive, so it’s less likely that the employee will attempt to confirm they should send the transfer.
4) Account compromise
Similar to the “Bogus invoice scam,” this attack involves a cyber criminal hacking an employee’s email account, then emailing customers to alert them there was a problem with their payment and they need to re-send it to a different account (one secretly owned by the cyber criminal).
This type of attack is more common with smaller businesses or companies with a small client base since it requires a billing structure that is managed primarily through email.
5) Data theft
The only version of the BEC scam whose goal isn’t a direct funds transfer, data theft attacks occur when a cyber criminal has compromised an executive’s email account and requests sensitive corporate information be sent to them. Typically, these requests will be to finance or HR, asking for W-2s or highly sensitive corporate financial documents. These attacks are often used as the jumping-off point for a larger and more damaging cyber attack.
What Can I Do to Stop a BEC Attack?
While a few business email compromise attacks involve the use of malware, many are known for relying almost entirely on social engineering techniques. Because of this, BEC attacks are rarely stopped by antivirus, spam filters, or email whitelisting.
However, there are some things you (and your users) can do to help keep your company from getting caught up in a BEC attack.
1) Always double-check before sending money or data
Make it company policy to avoid making requests for a wire transfer or confidential information over email. This will ensure that any emails making such a request will be flagged as potential attacks. If you can’t set this as a company policy then make it standard operating procedure for your employees to confirm any such request either through a phone call or, ideally, face-to-face.
2) Require multi-factor authentication
For a BEC attack to be launched a scammer must first successfully phish an executive in order to gain access to or spoof their email account. Implementing multi-factor authentication as a security policy will make it much more difficult for a cyber criminal to gain access to your employees’ email inboxes and therefore harder for them to launch a BEC attack.
3) Run regular spoof checks
Cyber criminals will often use email spoofing to send emails that look like legitimate messages from a member of the company’s leadership team. Running regular checks on your organization’s “spoofability” with something like KnowBe4’s Domain Spoof Test will help you see how vulnerable your company is to email spoofing and understand ways you can make your corporate email spoof-proof.
4) Teach employees how to spot phishing
Since employees are the target of BEC attacks you need to equip them with the tools and education necessary to know how to tell when something is off and know how to respond appropriately. To get started on the right foot, check out our free Phishing Field Guide. It’s full of security awareness training tips and examples of phishing emails you can share with your users to show them exactly what to watch out for.
Photo by Jay Wennington