Business email compromise (BEC) is a type of email fraud. In the most common scenario, an employee receives an email purporting to be from a company executive requesting that a payment be made to a specific client or account.
According to the FBI, losses caused by BEC scams surpassed $1.86 billion in 2020.
Business email compromise (BEC) occurs when a cybercriminal sends an email specifically designed to mimic a legitimate request from a known source.
Commonly, the email is an urgent request for funds from the CEO or other high-ranking executive, instructing the employee to transfer money from a corporate account.
In reality, the email comes from a criminal who has hacked the CEO’s account information or spoofed their email address to make it look legitimate. Language such as “We need this funding immediately to close this deal” or “I know I can trust you to get this done right away” is often used to add a sense of urgency.
Clicking “Reply” to such an email will send the response directly to the scammer. And of course, any funds sent by the email recipient will end up in the scammer’s account.
According to the FBI’s 2020 Internet Crime Report, BEC scams are the costliest scam of all. Losses emanating from 19,000 reports of these scams reached a total of nearly $2 billion—more than the combined losses from the next six costliest types of cybercrime combined.
According to the Association for Financial Professionals, 74% of organizations were targets of payment scams in 2020.
And with more employees working remotely due to the ongoing Covid-19 pandemic, criminals are broadening their avenues of attack. According to the FBI, the scams have evolved to include requests for W-2 information, instructions for wire transfers to fake real estate title companies, and demands to send large numbers of gift cards.
While all sectors are vulnerable to attack, government entities are particularly at risk, because of the detailed information required by U.S. transparency regulations. With easy access to names and details about executives, vendors, policies and contractors, criminals can customize their attacks to make them more believable.
In one case reported by the FBI, $1.6 million was stolen after a government official received an email with new instructions that came from a legitimate vendor email address, but was actually sent by a criminal. In another, a city government office received a spoofed email, supposedly from a known contractor requesting a change in payment method. This scam cost the city $3 million.
Your first line of defense is employee education that covers spam, phishing and social engineering—the leading techniques used for BEC. Workers at every level of your organization should understand the prevalence of BEC and what to look for, including urgent requests, typos and suspicious attachments.
Employees with any concerns about an email should call the sender directly using a confirmed corporate phone number – not a phone number within the email.
Staff should be aware that reusing passwords is another common cause of BEC. Using the same password for work accounts and Facebook, for example, could lead to email compromise if Facebook undergoes a data breach that exposes passwords.
A reliable multilayered security solution is also a must. In addition to endpoint security, make sure you have email protection against spam, phishing and malicious attachments. Having the capacity for rules-based filtering and email quarantines can also help block unsolicited email and suspicious emails—even those with spoofed sender addresses.
Implementing multifactor authentication will help prevent unauthorized access to your network and reduce the chance of fraud if employees reuse passwords or work credentials are stolen.
If you’re using cloud-based apps, implementing ESET Cloud Office Security adds email protection as well as safeguarding sensitive info such as vendor lists or legal contracts stored in the cloud.
Contact your financial institution immediately and request that they contact the financial institution where the transfer was sent.
Next, contact your local FBI field office to report the crime and file a complaint with the FBI’s Internet Crime Complaint Center (IC3).
Protect your organization against BEC scams by using ESET multi-layered endpoint security solutions, including LiveGrid® protection via the cloud and network attack protection, and the cloud-based ESET PROTECT console, to give your admins full, detailed network visibility, 24/7.
