Business email compromise (BEC) is the act of hacking or impersonating a corporate email account to defraud company staff or clients of their money and sensitive data. Such attacks are a popular form of cybercrime, comprising nearly half of the $3.5 billion in cybercrime-related losses during 2019.
2020 saw a rise in this trend, with invoice and payment frauds spiking as criminals leveraged the uncertainties surrounding COVID-19.
With its grand payoffs for little effort, BEC schemes show no signs of slowing. We break down how the process works, how to spot and prevent such attacks, and how Terminal B’s solutions can help.
How BEC attacks work
BEC attacks typically employ social engineering tactics, where the attacker impersonates someone a recipient would trust, such as a manager or colleague. They then trick their victim into making payment transfers whether upon request, by diverting payroll, or by changing one’s bank account details (replacing them with the attacker’s offshore account) for future payments.
In more extreme cases, the hacker may actually breach the victim’s email account, making it easier to defraud their targets. This is known as email account compromise (EAC) and is a growing tactic amidst the rise of BEC attacks.
Both methods are difficult to spot and prevent due to the use of increasingly sophisticated impersonation techniques. However, the right security tools, habits, and practices can effectively minimize the risk of such threats in the workplace.
How to spot a BEC attack
Since BEC attacks rely on spoofing one’s email address, keeping a lookout for lookalike domains is an easy way to spot such tactics. With the vast amount of emails one often receives, however, these can often fly under the radar.
It’s thus important to look out for other common red flags, including sudden requests for payroll diversions, last-minute wire transfers, and messages that read suspiciously off from the person’s usual writing style.
Keywords such as “urgent,” “sensitive,” and “secret” are often used in fraudulent emails regarding payment transfers, so it’s also best to keep watch for such terms.
Types of BEC attacks
According to the FBI, there are three main types of BEC attacks. These are:
- The bogus invoice scheme, in which attackers impersonate a company’s trusted supplier, requesting wire funds to be sent to a fraudulent account. This is also referred to as “the supplier swindle” or the “invoice modification scheme.” In the third quarter of 2020, the frequency of these attacks rose by a whopping 155% from the previous quarter, placing it among the most pervasive BEC tactics of previous months.
- Impersonating high-level business executives, such as CEOS, CFOs, etc. Accounts may be spoofed or hacked through this method, requesting employees (or in some instances, financial institutions) to perform wire transfers to the criminal’s bank account. This is also known as the “CEO fraud,” “business executive scam,” or “financial industry wire fraud.”
- The email account compromise (or EAC), in which attackers hack an employee’s actual email account, requesting invoice payments to be made to fraudulent bank accounts under the guise of trusted vendors. A business may not be aware of such payments unless their vendors contact them on the status of their invoice payment.
Best practices for protection