Financial institutions have experienced over $9 billion in losses due to Business Email Compromise (BEC) schemes since 2016, according to a July report by the Financial Crimes Enforcement Network (FinCEN). With such staggering losses, businesses and even individuals can’t afford to ignore BEC attacks.

What is Business Email Compromise (BEC)?

In cases of BEC fraud, cyber thieves pretend to be company leaders or business contacts you’re familiar with to commit wire transfer fraud or to obtain sensitive or confidential information.

Businesses working with foreign suppliers and organizations that regularly make wire-transfer payments are among the most common targets for BEC fraud.

A common tactic used by cyber thieves is to impersonate a company CEO and ask a junior staff member to complete a task, such as transfer funds or provide sensitive information, through an email.  Since many organizations don’t have a set procedure to very instructions received from top management, attackers take advantage of the situation.

How Attackers Collect Data from their Targets

A cyber criminal’s main goal is to steal money from victims.  He or she will use a variety of methods to commit BEC fraud, including:

  • Imposter techniques – This approach can be leveraged in numerous ways. Attackers often use a look-alike domain, display-name deception, and spoofed emails that appear to come from legitimate addresses.
  • Social engineering – Attackers sometimes collect information from social media accounts to make their requests sound legitimate. Make sure your social media privacy settings are up-to-date!
  • Malware – This common technique gives attackers access to sensitive information that makes the fake request sound legitimate.
  • Mining from the Dark Web – Here, attackers can obtain stolen credentials.

Avoiding BEC Attacks

Conventional security systems don’t always detect BEC schemes. For example, consider when a transaction is willingly initiated by a legitimate user (an employee) in response to a request from a legitimate source (a company leader). These types of requests don’t have the same warning signs as malicious attachments that can be blocked.

Some methods to help reduce the possibility of these attacks include:

  • Raise awareness. Focus on the common attack scenarios or tactics like a false domain name that looks similar to the original one, impersonation of a vendor, a false sense of urgency, or a request for secrecy.
  • Train employees. Help them understand and build on the many cybersecurity risks and implications.
  • Implement email authentication protocols. This includes but is not limited to Domain-Based Message Authentication, Reporting, and Conformance (DMARC) and email authentication, such as DomainKeys Identified Mail (DKIM).
  • Use layered defense. Consider using encryption and virtual private networks (VPN), among others.
  • Implement a multifactor authentication. This will introduce a secondary authorization control and help stop attackers even after they gain access to the target’s credentials.
  • Establish communication protocols. This step allows for follow-up verification. For instance, if someone is requesting a financial transaction, an employee should call to verify that the request is legitimate.
  • Scrutinize all emails that request for fund transfer. Help employees understand the need to ask, “Is this a real request?”
  • Monitor incoming emails. The names of company leaders are often used in BEC fraud.  Constantly monitor for emails that use a familiar name but are coming from scammers.
  • Optimize accounting systems and controls. Implement a control system to make sure sensitive information is kept secure and payments are legitimate.

Final Thoughts

In addition to taking precautionary steps, businesses must make sure their insurance specifically covers BEC attacks as courts might have different interpretations of policies. Click here to learn more about the case of Apache Corporation, which lost $7 million due to a BEC attack. Ultimately, the judge ruled that the BEC attack was not covered by their insurance policy since the money was sent to pay a real invoice to an incorrect bank.

It’s especially difficult to prosecute cybercriminals since many are from countries that have less strict cybercrime laws, or no laws at all.  Regardless of whether you run a business, we must all take precautionary measures to protect ourselves from potential BEC schemes!