Business email compromise (BEC) scams have been increasing in prevalence and creativity over the past few years. For such a relatively low-tech kind of financial fraud, it has proven to be a lucrative scheme for scammers and it is not going away anytime soon.
According to the FBI’s latest Internet Crime Report (ICR), losses from BEC schemes amounted to almost $1.3 billion in 2018. This reflects twice the losses in 2017, which stood at $676 million. In 2019, it was reported that cybercriminals stole a total of $301 million per month through BEC scams — a considerable spike from the $110 million average in 2016.
What is business email compromise?
BEC scams — also known collectively as “CEO fraud” and “whaling” — are sophisticated rackets that target unsuspecting employees who are authorized to make wire transfer payments. Formerly known as man-in-the-middle (MItM) email scams, BEC scams involve cybercriminals compromising official business email accounts to conduct unauthorized fund transfers.
How does it work?
BEC scams begin with a fraudster infiltrating a business executive’s email account or any publicly listed email. The attacker uses phishing techniques to perform a fair amount of research. They monitor the compromised email account to determine who are authorized to make wire money transfer payments.
The scammer also checks for businesses with executives who are traveling or organizations that have had a recent change in management in the C-suite or finance function. They use these circumstances as openings to execute the scheme.
BEC schemes are evolving
As awareness around the BEC scams grows, the techniques and tactics used by fraudsters are also evolving. Previously, the most deployed BEC method was the impersonation of the president or CEO of a company. It made up 33% of BEC attacks in 2017, but it declined to 12% in 2018.
Today, scammers have started impersonating individuals outside the organization. Recent findings show that the scam now typically involves fraudsters masquerading as realtors to trick targets into making bogus real estate transactions.
In addition, manufacturing and construction are also becoming frequently targeted industries. Retail and restaurant businesses have also been steadily seeing more BEC scams since 2018.
How can you protect your business from BEC scams?
BEC remains favored because it doesn’t require complex tools and skills — it only takes a convincing ruse to trick a potential target. To defend your organization from falling for BEC attacks, you must practice prudence and raise awareness within your organization. Here are some useful tips:
- Always verify payment requests and fund transfers. All transactions, specifically those that involve large amounts, should always be verified. Make sure to contact the supplier via a phone call and if possible, get a secondary sign-off from someone higher up in your company.
- Keep an eye out for red flags when it comes to business transactions. A change in bank account information with no prior notice is definitely a red flag and a possible BEC attempt. Your employees must be trained to scrutinize every email for suspicious signs. Some indications of a BEC email include unusual domains, unsolicited links, or changes in email signatures.
- Train your employees. Your employees are your biggest asset, but they’re also usually the weakest link when it comes to security. Train them regularly so they develop and practice good security habits. Training staff can go a long way in protecting your company.
- Stay updated on your customers’ habits. Details and reasons behind payments must be clear and current. Be sure to confirm money transfer requests and use phone verification as part of multifactor authentication (MFA).
- Report suspicious activity immediately. If you suspect that you are being or have been targeted, report the incident to law enforcement or file a complaint with the IC3.
- Invest in email security. BEC scams are expected to multiply and evolve. As such, you should set up a multilayered defense system to mitigate the risks that BEC scams pose. You can begin by partnering with an experienced managed services provider (MSP) like USWired to help you understand more about email threats such as BEC and keep you safe against them.
USWired’s email and spam protection solutions protect your business from email-borne threats and data leaks by managing and filtering all inbound and outbound email traffic. Call us today to learn more and get started.
