In 2023, it was revealed that an investment firm in Boston lost $1.25 million in a business email compromise (BEC) cybersecurity scam. Using a spoofed domain name, fraudsters impersonated directors and instructed a financial company to misdirect funds from the victim company’s account to a bank account controlled by the scammers.
Trustpair blocks the financial effects of BEC thanks to ongoing account validation and authentication. All suspicious transactions are blocked and risky data changes are spotted. Request a demo to learn more!
BEC in cybersecurity: what is it?
BEC is also known as business email compromise. In the cybersecurity world, it is a method of fraud that involves getting access to an email address or spoofing an email address to bypass security and either gain information or defraud business of funds.
How does BEC work?
BEC scams work in different ways. Generally, a fraudster can hack into an email or use malware to navigate company networks and infiltrate email threads.
Once the fraudster has access to the email threads using malware, an attack may not occur until much later. They may spend some time observing email chains to see which employees are in charge of money, invoices, transactions, and more.
Additionally, they may pick up on words or trends that employees use in emails. This is so that later down the line if they are to send an email on behalf of an employee, they can make it seem genuine.
Once they have gathered the information they need, the fraudster may ask for payments to be made to accounts which they control.
Alternatively, fraudsters may use a spoofed email address of a fake company that is very similar to the email address of a senior figure in the company. From there, they may make demands to those in charge of payroll to redirect funds to a different account.
Reported BEC scam losses have increased by 58% since 2020.
What are the types of BEC?
- Data theft – this is usually the first step of BEC fraud or can lead to other types of fraud further down the line. It can occur to the HR department where schedules are stolen to get a better picture of the person who is being defrauded. Alternatively, personal data or sensitive information could be stolen by the scammers to get one up on senior figures in a scam down the line
- CEO fraud – the attacker may pose as a CEO or a senior figure and ask for a payment to be transferred to a bank account operated by the hacker
- Account compromise – a member of the finance department may be a target and have their email hacked and the scammers could encourage payments to vendors to a new bank account that is run by the hackers.
- Vendor email compromise – the criminals may pose as the vendors and ask for their funds to be sent to an attacker-owned bank account and claim their usual account is down. Alternatively, they may use a fake invoice that has similar details to the original vendor account to gain the funds
- Attorney impersonation – attackers can and will hack into a lawyer’s email address and claim that clients have to pay through a link or they are sent a fake invoice that has the details on of a scammer-controlled bank account
What are BEC examples?
Facebook and Google
The most renowned example of a BEC cybersecurity scam was in the form of a vendor email compromise (VEC) attack on Facebook and Google between 2013 and 2015.
The organizations lost around $121 million between them. Fraudsters impersonated Quanta Computer which both giants have done business with.
The scammers used the fake company under the same name as Quanta Computer, false invoices, fake contracts, and letters to confuse the organizations and dupe them into paying out tens of millions to accounts run by the scammers.
One Treasure Island
The nonprofit based in San Francisco fell victim to a business email compromise attack in 2021.
Hackers gained access to the bookkeeper’s email. Using spoofed email addresses, they inserted themselves into the email chains and pretended to be figures involved with the nonprofit.
They then found and adjusted an invoice from a member organization that had been sent to the executive director of One Treasure Island. The new invoice contained altered wire transfer instructions to a bank in Texas.
The organization lost $655,000 in the fraud attack.
BEC red flags
Here are some of the red flags of business email compromise and ways your business can prevent it…
By being aware of these methods and how you can combat them, your business can avoid:
- Financial damage
- Reputational damage
- Data leaks
Grammatical errors
If an email from a senior member of staff is littered with simple grammatical errors that they wouldn’t usually make, this should raise suspicions.
If you aren’t sure that it is legitimate, you should ring the employee or go and see them to double-check before making any transfer or payment.
Time sensitivity
If a member of your team receives an email or a text message from another colleague requesting an urgent transfer this should raise alarm bells.
It may be that a sender describes a serious situation such as they need their salary paid early to help with a family medical bill or that a vendor needs to be paid quickly into a new account to secure their business. These are social engineering techniques that are used to complete BEC attacks.
Either go and see the member of staff or ring them to check this is genuine. By making the situation urgent the fraudster hopes that you would either overlook usual procedures to help them get it done or forget about the correct process.
Employees should be educated about the red flags of fraud such as business email compromise and to always step back from the situation and think logistically about it.
Unusual requests
An unusual request that a member of staff may be asked to do involve:
- Being asked not to speak with other employees about the transfer
- To ignore normal methods – this may involve disregarding the normal process and instead sending a wire transfer
- To communicate over text rather than email – staff should have access to work phone numbers anyway. Scammers do this as texts can feel more reliable than emails
Suspicious email addresses
A type of business email compromise involves phishing emails. By using a deceptively similar email address to what staff members already use or an incomplete email address, fraudsters may try to get staff to redirect funds into an account controlled by them.
BEC prevention methods
Training
For both unusual requests and suspicious email addresses using phishing techniques, ensure that staff are well educated on these methods. They should also be trained on how to spot the fraud and what steps to take if they find themselves in such a situation to ensure security.
Additionally, training should also be provided on what to do if employees get caught out by a fraud attempt.
Use a fraud prevention platform
Another prevention method for BEC cybersecurity attacks is to invest in fraud prevention platform tools. For example, Trustpair’s software blocks the financial implications of business email compromise.
The platform can do this thanks to ongoing account validation. The system blocks suspicious transfers and raises red flags when risky data changes are noticed.
Recap
BEC cybersecurity attacks involve fraudsters gaining access to an email address or using a spoofed email to redirect funds or gain valuable information. Alarm bells should ring if the emails contain grammatical errors, unusual requests, and suspicious addresses. Companies should educate and train staff about BEC scams and use fraud detection software like Trustpair.