Email security is a top-of-mind concern for many organizations, with business email compromise (BEC) gaining prominence as one of the lethal tactics adopted by cybercriminals to attack enterprises. Law enforcement agencies worldwide have been keeping a close watch on BEC scams as a result of the increasing losses year on year. According to the Federal Bureau of Investigation (FBI), BEC has incurred nearly $12.5 billion losses to companies as of 2018. On average, one successful BEC attack can cost the company $130,000. We reported the number of BEC attacks in 2018 increased by 28 percent globally.
Falling victim to a BEC scam has long been a problem that generally arises from human negligence and our natural inclination to do what someone in authority asks of us. Because these scams do not have any malicious links or attachments, they can evade traditional detections. These two factors make BEC a persistent threat for enterprises. Before we delve into what measures an enterprise need to take to mitigate risks associated with BEC, it is important to know how it works.
At the core of it, BEC is a form of spear phishing where an attacker, by pretending to be a high-ranking executive – usually the CEO, attempts to trick a victim – usually the CFO – into paying a fraudulent invoice. To do so, fraudsters carefully research and closely monitor the potential target victims – both the spooked executive and the one issuing the payment – and their organizations. The tone of the email is usually urgent.
It is also observed that most BEC attempts happen in countries with established business hubs and those that see a lot of multinational business operations.
BEC persists and new trends arise
In India, some 1.5 billion email threats were blocked by us in 2018. BEC, as a form of email-based scam, remains a very potent and lucrative means of funneling money from companies. As per our security predictions for 2019, BEC scammers will target employees further down the company hierarchy this year, for example, secretaries or executive assistants.
In what appears to be a product of masterful social engineering, BEC scammers are also reportedly using domestic money mules recruited via confidence or romance scams. After grooming these victims, scammers will trick them into opening accounts that will only be used for short term, presumably to avoid being tracked by the authorities. Another phenomenon noticed is that some BEC victims are tricked to purchase gift cards. In this BEC variation, a cybercriminal posing as a person in authority may send a spoofed email, phone call, or text to a victim, requesting to buy gift cards for personal or business purposes.
Gearing up against BEC threats
Businesses are advised to stay vigilant and educate employees on how not to fall victim to BEC scams and other similar attacks. It’s true that cybercriminals usually prefer big companies but there’s little guarantee that small and medium-sized enterprises won’t get hit. For one thing, smaller companies tend to have less robust security infrastructure in place.
Here are some tips on how to stay protected and secure:
- Be wary of irregular emails that are sent from C-suite executives authorizing an urgent payment. Look for discrepancies in the email address, the way it is written, the sign-off, and more. Review past emails that request transfer of funds to determine if this one is irregular.
- Cybersecurity awareness training and enforcing best practices against email threats can help employees stay alert and not fall prey to these attacks.
- Verify any changes in vendor payment details by using a secondary sign-off by company personnel.
- Stay updated on your customers and vendors’ habits, including the details, and reasons behind payments.
- Confirm requests for transfer of funds when using phone verification as part of two-factor authentication, use known familiar numbers, not the details provided in the email requests.
- If you suspect that you have been targeted by a BEC email, report the incident immediately to law enforcement or file a complaint with the cybercrime department.
Organizations should consider using a multilayered identification process for transferring resources and invest in smart email protection. There are advanced security technologies available now that can prevent users and organizations from falling for BEC attacks. For example, by studying and learning the unique ways executives compose their emails, a new AI-based technology is able to pick up on tiny details that set authentic emails apart from fraudulent ones, leading to better detection of BEC scams.
BEC is here to stay, with Gartner predicting that through 2023, business compromise attacks will be persistent and evasive, leading to large financial fraud losses for enterprises and data breaches for organizations.
(Authored by Nilesh Jain, vice president, Southeast Asia and India, Trend Micro)