Business email compromise (BEC) is a type of internet insecurity aimed at impersonating top-level executives, redirecting funds, and stealing invaluable data from organizations.
At the very low end of the scale, BEC scams do not require a sophisticated technical skill set by attackers before execution. The use of the everyday email is a major tool exploited in defrauding businesses of a lot of money.
The threat of BEC scams is largely unknown emerging across the globe. There have been several attacks ranging from individuals to large corporations.
In 2017, the US Federal Bureau of Investigation (FBI) reported that 22,143 victims all over the world have fallen for BEC scams since January 2015. Also, from January 2015 to June 2016, the FBI assesses that BEC scams increased by 1,300%
BEC scams take on different forms, the most common ones are; The ‘CEO fraud’ – this is the classic BEC scam where an attacker hacks the email of the Chief Executive Officer or another top-level executive and requests funds transfer from employees in charge of these funds into the attacker’s account.
- The Bogus invoice scam – The attacker hacks the email of a supplier and sends fake payment requests to its customers containing the banking details of the attacker. This is common in businesses with foreign suppliers.
- Lawyers’ impersonation – Hackers impersonate law firms that are in charge of valuable and classified information of the target company. Fraudsters often request for funds transfer and tag this request as ‘classified’.
- Data theft – This type of BEC scam is usually conducted for a greater level of fraud. It involves requesting sensitive information and biodata from employees in departments like Human Resources and Accounts.
- Business and organizational contacts that have received payment requests from a compromised email is hacked and used to carry out such payment requests.
The process with which the various types of BEC scams are conducted differs in their level of complexity; some do require advanced technical expertise than others.
Noteworthy instances include the use of criminal malware to attack businesses and setting up of one-time-use Gmail accounts for impersonation.
BEC attacks could be perpetrated by anyone from anywhere in the world which makes it difficult for the funds to be tracked. The proceeds from this criminal activity are laundered via money laundering to cover their tracks.
In order to prevent BEC scam attacks, several solutions are available for organizations to implement.
In cases of impersonation – encompassing CEO fraud, lawyers’ impersonation, and bogus invoice scam – policies should be put in place; for further identity verification phone call verification or better still a face-to-face confirmation.
Good anti-malware and technologies such as DMARC, SPF, and DKIM should be in place to help protect against BEC.
As developers are improving on the anti-malware technologies, attackers are also improving their techniques. This puts the future of the BEC scams in a tug of war, therefore email users must be on alert as a potential target.