Blog Details Image

Business Email Compromise is a common scam in the corporate world, and it results in the loss of millions of dollars every year. As per the statistical report of the FBI, the amount of loss reached $1.77 Billion in 2019 with an average of $75k loss per incident. BEC attackers use advanced techniques to target different financial institutions. With BEC simulations, we can prevent these attacks and save these financial bodies.

As a responsible Cyber Security partner of leading financial organizations across the globe, NetSentries Technologies Cyber Threat Research team has created a short advisory article on BEC Trends, Techniques, and necessary awareness needed to prevent such scams. We encourage FinServ stakeholders to use this information for developing internal awareness programs and BEC simulation exercises. If your organization is looking for a BEC simulation or consulting service, please contact us at info@netsentries.

What is BEC?

Let us give you a clear concept of Business Email Compromise or BEC. It is a type of cybercrime where the criminal accesses business email accounts by imitating the owners’ identity. Cybercriminals mostly target organizations, which regularly make a wire transfer. Most of the BEC attackers make phishing attacks and email frauds to compromise email accounts of senior-level officers. By misrouting wired payments, attackers gather financial data.

With different social engineering scams, criminals persuade victims to download malware and click on infected links. The criminal group includes hackers, social engineers, and translators who engage in the crime, like Business Email Compromise. The target of criminals is to own the fund stored in victims’ accounts in financial institutions by tricking them into making a payment in their favor. However, they do not target the victim’s bank account directly. Besides, they monitor and research their potential target organizations and victims closely.

We can categorize BEC in different ways

  • Fake invoice scheme- Companies that make foreign deals are a major target in this BEC scam. Criminals pretend that they are foreign suppliers to the target organization and request for fund transfers. Thus, one of the fraudsters receives the payment.
  • CEO spam– BEC attackers act as the CEO of the company in this fraud case. They deliver emails to employees and ask them to send funds to the account owned by them.
  • Account Compromise- This crime combines both the above tactics. Criminals send emails to individuals/ organizations. To comprise financial accounts, they send payment requests and invoices.
  • Data Theft- Here, cybercriminals target HR professionals and bookkeepers to get personal and sensitive data about employees. Criminals intend to make future attacks.
  • Attorney Impersonation– As fake lawyers and other legal professionals, attackers rely on phones and emails to succeed in their attacks. In most cases, employees, having no knowledge of proper business communications, become victims of this attack.
  • Tax threats- Some attackers pretend to be a tax collector. They pressurize victims to send tax data of their organization. Due to the potential tax evasion risks, victims are forced to work on the instructions of attackers.

What techniques do BEC attackers apply to reach their targets?

  • Malware- BEC criminals create malicious networks to obtain data from the internal systems of a company. The malware enables them to look through authentic emails related to financial institutions. With this technique, attackers can easily grab sensitive data of an organization.
  • Spoofing email addresses and websites- Criminals create their fake email addresses in a way that they look like genuine ones. They befool their victims and let them use the malicious email account as the genuine one.
  • Spear-phishing– It is another trick with which criminals deliver fake emails. They claim that they are reliable senders and request victims to disclose important information.

Most relevant factors in a BEC case

You can detect BEC scams and prevent any negative effects in different ways.

  • Identifying the email sender

At times, big corporates receive payment requests directly from the CEO. In this case, senior employees must check the legitimacy and validity of the email address.

  • Reason for choosing wire transfer

You know that BEC attackers target wire transfers to make financial gains. If someone has requested you to pay the fund via wire transfers, you must thoroughly check the sender’s source and identity.

  • Requesting for gift cards

BEC criminals use gift cards as a mode of crime. Hackers use redeemed gift cards from reputed companies to cheat individuals and organizations. They know that it is easy to transfer these cards and obtain a high amount of cash. Thus, you must re-check every detail while sending some data.

  • Creating a sense of urgency

Attackers can make you feel that they need money urgently. You must not take a step without verifying them.

  • Unusual email from the higher-ups

It is essential to verify if you receive emails from any higher-ups of an organization asking for sensitive data or change in payment details or processing invoices.

  • Non-organizational email sources

Before wire transfer, you must check the email address and confirm if it has been sent through a legitimate organization email address and not from personal email accounts.

Some ways of protection against BEC

  • Set email security gateways rules to flag emails from domains similar to legitimate domain name.
  • Create color codes to enable internal employees and non-employee to send emails with different codes.
  • Verify payment methods with two-factor authentication
  • Use a phone to confirm requests
  • You must thoroughly examine all the fund transfer email requests.

Use the proven technique of preventing BECThe Business Email Compromise simulation

The real-time BEC simulation is the most innovative way of avoiding BEC scams. You can make your employees more aware with BEC simulation. It aids in identifying the employees who are at risk of BEC scams. Besides, this method helps you in eliminating cyber risks and protects sensitive, personal, and corporate data.

Moreover, you have to create network access rules and hold a cybersecurity awareness program in your business environment. You must take every measure to verify the authenticity of fund requests send through emails. With these preventive measures, you can save your organization from Business Email Compromise.

About NetSentries

NetSentries is an emerging leader in the Cyber Threat Management space. NetSentries provides a portfolio of Security assessment, Control validation, Defensive, and Detective Security advisory to Enterprises. NetSentries is engaged with several business verticals like Banking and Finance, Oil and Gas, Retail, Manufacturing, and Healthcare to assess their current security posture and continuously improve resilience against targeted cyber-attacks. NetSentries works with several Banks and FinServ companies to improve Enterprise-wide security posture and meet compliance requirements from regulators.

Schedule your
Application Security Assessment Now

Free Consultation ImageFree Consultation Shape ImageFree Consultation Shape Image

Choice of the Leading Enterprises for a Reason

Brand LogoBrand LogoBrand LogoBrand Logo
Brand LogoBrand LogoBrand LogoBrand Logo
Brand LogoBrand LogoBrand LogoBrand Logo