What is BEC?
Also known as email account compromise (EAC), business email compromise exploits our reliance on email for business and personal use. BEC attacks are effective because they’re simple. A hacker just has to send an email and hope they trick an employee or even a CEO.
Many exploits begin with an attacker using a social engineering scam intended to trick a C-suite target into downloading malware, clicking on an infected link, or visiting a compromised website to get control of their account. Once accessed, hackers send emails to other people in the company requesting a wire payment.
Anti-virus and email filtering technologies fail to flag the email as malicious. Equally important, the recipient(s) get spoofed into believing the email is genuine because it comes from a boss or trusted contact.
For example, you receive a message from your manager telling you to order gift cards for clients. Or a bogus invoice comes from a vendor you’ve worked with for years asking you to pay an invoice. Unfortunately, the message is fake, and you send the payment to a cybercriminal instead.
In many instances, a hacker spoofs a domain or email. For example, the attacker slightly changes a legitimate email — john.reagor@samplecompany.com vs. john.raegor@samplecompany.com. Spoofing increased more than 220% last year.
Types of BEC Attacks
According to a GreatHorn report, spoofed email accounts or websites lead the pack as 71% of organizations acknowledged they had seen one over the last year. As a matter of fact, 61% of organizations received a vendor email compromise this quarter, according to Abnormal Security.
The FBI has identified five BEC variants:
- CEO Fraud: Attackers impersonate a CEO or other c-suite professional and target employees with requests for payments.
- Account Compromise: An employee’s email account gets comprised. Attackers then use their contacts to request payments.
- Bogus Invoices: Cybercriminals impersonate suppliers and request fund transfers and payments.
- Data Theft: Hackers gain access to sensitive data by compromising human resource or administration departments.
- Attorney Impersonation: Less common, attackers impersonate an attorney to gain confidential information.
Nearly 50% of BEC attacks stem from spoofing an individual’s identity – 68% use company names, 66% use names from individual targets, and 53% use the name of a boss or manager.
The most common BEC scam targets invoice or payment fraud, with the average amount requested hitting $75,000 by the end of last year. In addition, roughly 62% of scams involve a request for a gift card, cash app transfer, or money card.
Business Email Compromise Gets Overlooked as a Cybercrime
Ransomware tops the list when you begin to think about cybercrime. But BEC attacks represent a multi-billion dollar business, accounting for 43% of cybercrime in 2020. In fact, the Federal Bureau of Investigations Internet Crime Complaint Center (FBI IC3) fielded 19,369 complaints with an adjusted loss of approximately $1.8 billion. That figure represents the highest total losses by victims. And the threat continues to grow.
Indeed, most BEC attacks are limited in scope to the one CFO in your organization or a small group of individuals in the finance department. As a result, threat actors need only target a handful of people to succeed.
BEC attacks have no boundaries when it comes to company size. For example, smaller organizations with less than 500 employees have a 42% probability of attack weekly. On the other hand, that figure climbs to as high as 70% for medium-sized companies.
How to Prevent BEC Attacks
Layered security and cyber awareness training present your best weapons against business compromise attacks. Here are some approaches you can use to reduce your risks:
Careful Examination
Before you click on anything, review the email address, URL, and spelling. If someone asks you to update or verify account information, research the company or call to confirm they’re legitimate.
Multi-Factor Authentication
MFA blocks a great many security risks. If you haven’t deployed it, do it now.
Secure Email Gateway
A secure email gateway acts as a firewall for your email to prevent spam, malware, and viruses from being delivered via email. In addition, it will detect a spoofed domain from an attacker and block BEC scams from being delivered more often than not.
Post-Delivery Protection
Post-delivery protection uses machine learning and artificial intelligence to monitor networks for malicious activity. It detects potential threats like multiple failed login attempts as well as unusual locations or times for emails. Users can also report emails as suspicious.
Cyber Awareness
Cyber awareness training represents one of your most cost-effective and efficient ways to mitigate malicious emails and phishing attacks. Training helps employees identify what a phishing attack looks like and instills a sense of security throughout your organization. You can also take advantage of simulations to test employees on their awareness.
Identity and Access Management
IAM helps prevent attackers from gaining access to your accounts in the first place. IAM involves multi-factor authentication, sound password management, authenticating user credentials, and more. It provides a granular level of security that defines and enforces how individuals access systems and data.
How IntermixIT Can Help
We take cybersecurity personally. Our cybersecurity services ensure your security with a layered approach that includes IAM, MFA, endpoint detection and response, SIEM, a security operations center, and more. We can also deliver award-winning cyber awareness training.
If you’re looking for an IT company in Harrisburg, York, Lancaster, and surrounding areas with the knowledge and expertise to support your small or mid-sized business, get in touch. Our array of IT support services will help drive your IT success.