BEC, or Business Email Compromise, is a contemporary twist on a staple scam.
Often in the shadow of the more extravagant, media-friendly super-hacks or ransomware compromises, BEC is leading the line on both the number of attack victims and the direct losses encountered by businesses.
Although not as en vogue as other ‘nouveau’ cybersecurity threats, if you are simply looking at direct business costs, BEC leaves almost every other cyberattack in the dust. And there are a couple of reasons why.
Unlike viruses, Trojans and worms, there isn’t an abundance of software, firewalls, or preventative measures that can protect you. The scammers are leveraging social engineering tactics as opposed to technical exploits. The scam itself is the oldest trick in the book – a simple act of deception – and it is usually only uncovered once the attacker is off with your hard-earned money.
There are typically three varieties of this scam, as outlined previously in this well-crafted Tripwire article. The basic premise is that the attacker is pretending to be someone he or she is not (usually an executive at a company) and is pressuring lower-level employees to hand over sensitive information or money under “time sensitivity” duress.
The attack usually comes in the form of a bogus invoice, a compromised account from an actual employee, or a spoofed email address, which can look exceptionally like the real parties.
I imagine all of this seems very low-brow and benign after all the sophistication and technical nuance of many of cyber-attacks we saw throughout 2017. However, the numbers are real, and the marks are extremely lofty. Facebook and Google lost an eye-watering $100 million dollars each. Luckily for the big boys, they have the power to get back every dime – you probably won’t be so lucky, by contrast.
The FBI estimates that $5 billion dollars were lost over a three-year period 2013-2016 ($3.1 Billion since 2015). The scam was reported over 40,000 times in 131 countries and in all 50 states. Recent numbers indicate a 2,370 percent increase between 2015-2016, with 96 percent of companies having encountered BEC attempts at an organizational average of 46 attempted attacks per company.
To put it simply, BEC is everywhere, and it’s growing.
Business Email Compromise is so effective because it doesn’t utilize payloads, meaning conventional email security solutions will usually be unable to detect it. The recipe of trust, authority and familiarity alone is resulting in billion-dollar losses. These attacks are exceptionally well thought out and structured. This is not an email blast with malware but usually an analytical process by scammers undertaken over weeks and months.
Hackers could be monitoring email at your company just now, assessing everyone’s position and role in the company and building up a profile of interactions upon which to mimic.
And if you think these hackers are just targeting big business, you are wrong. You can easily fall victim to BEC if you are following poor online security etiquette and doing fairly basic transactions online. Stories of people losing their housing deposit and lawyers’ fees are common, with attackers mimicking law firms and issuing invoices.
Small businesses are usually the easiest targets because they usually have just one person doing many transactions and more than likely not following proper security protocols.
How do I stay protected from a business email compromise scam?
This is the key question. If you are relying solely on the old staple of protection software, your security against BEC is going to be found wanting. Implementing a multi-layered approach is usually the best strategy:
Step 1: Teach your employees to scrutinize emails. They should be wary of irregularities in branding and signatures on emails, as well as typos and changes in writing style. Big red flags will be changes in account numbers. Standard rules apply; employees are your first line of defense, so train them properly.
Step 2: Simple process change: Any request for money now needs a two-factor approval, i.e. an email invoice should be followed by a phone call or a fax for confirmation. Always use your familiar numbers, not those in the email.
Step 3: Use digital signatures: By utilizing security certificates, you can be sure that the message was sent by the correct party. Your mail client will usually indicate the use of signatures by showing a notification “This message was digitally signed by …..” or something similar.
Step 4: Tighten up all email correspondence, be exceptionally strong on your spam filtering, and use your whitelist sparingly.
About the Author: Sean Allan is from the Aware Group, a Technology company witnessing the continued rise of cyber threats across industries.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.