We’ll cover what BEC scams (Business Email Compromise scams) are, how they work, what you should look for, and what to do about them, including:
Here’s how BEC scams work: Business Email Compromise (BEC) scams occur when fraudsters use spoofed or hijacked email accounts to impersonate trusted contacts—like vendors or senior executives—asking employees to wire payments or make purchases under false pretense.
According to the FBI, BEC scams have led to more than $26 billion in business losses worldwide from 2016 through 2019—or more than $700 million per month. Then along came 2020. So far this year BEC attacks have been proliferating at an ever-increasing rate. As of May 31, the bureau’s Internet Crime Complaint Center (IC3) reported the total volume of advanced email attacks had already exceeded all of 2019.
There are three primary drivers behind these underlying trends.
Once known primarily as “CEO Fraud,” BEC can now more accurately be described as a broad category of email-based attacks designed to pilfer money from corporations. Popular scams include:
Regardless of the form of attack, BEC scams use identity deception to convince recipients to take action under the mistaken belief they are responding to a legitimate request from a trusted individual or organization.
Lookalike domains, spoofing, display-name deception and messages sent from hijacked email accounts are just a few of the mechanisms cybercriminals use to send malicious emails that are virtually indistinguishable from legitimate email messages from known senders.
At the same time, BEC phishing messages sent from G-Suite, Office 365 and other cloud-connected email and services fly past traditional security controls due to the reputation and pervasiveness of these popular platforms.
Then there are the emails themselves. Instead of the spray-and-pray spam emails of old, the email messages these fraud rings send are flawlessly researched and exquisitely personalized using context-relevant information. This can be simple as a late-afternoon query from a senior executive who’s “stuck in a Zoom call” and needs an employee in accounting to wire an overdue payment to a new vendor.
These kinds of subtle mind games are effective at throwing recipients off kilter—especially with so many eager to demonstrate responsiveness to a key executive while working from home. Far too many will follow through on such requests before thinking to confirm the legitimacy of the message. In recent simulations, phishing awareness training firm KnowBe4 found that one-third employees will obey a fraudulent email request, no questions asked.
Here are a few things you can do to stop BEC scams from attacking your company:
Unfortunately, doing only one of these independently of the others probably won’t be enough to protect you. Here’s why.
Lookalike domains and spoofed email addresses are hard enough to spot. Factor in malicious emails sent from pirated email accounts belonging to trusted suppliers, and the challenges grow exponentially.
Oh, and email account compromise (EAC) attacks launched from accounts belonging to a company’s own senior executives? That’s its own special nightmare. Most traditional email controls don’t even scan internal email.
But while phishing awareness and business email compromise training is always a good idea, relying exclusively on a human firewall to spot signs of BEC and report suspect emails to the security operations center (SOC) isn’t realistic.
The sheer volume and inventiveness of BEC scams account for as much as 40% of all cybercrime business losses each year. And our own research has found that 60% of employee-reported email scams are false positives, serving to bury SOC team analysts with more email attacks than they can possibly handle.
Instead, layered security and accounting controls are required given the enormity of the threat.
In addition to tightened payments processes, organizations will need to deploy modern, identity-based phishing defenses with tools and solutions for blocking even the most sophisticated, socially engineered BEC attacks—including those launched from internal email accounts. And continuous detection and response technologies are required to sniff out and automatically remove malicious emails that do manage to avoid early detection.
The cost of doing nothing to stop BEC scams is rising—sometimes in unexpected ways. As National Law Review reports, case law and regulatory bodies are increasingly bringing enforcement actions against organizations that fall victim to such attacks for being negligent and reckless in failing to adequately address BEC scams and other advanced email threats that can be successfully avoided.
Want to learn how companies like Allergan, Comcast, Informatica and others defend themselves against BEC scams and other advanced email threats? See for yourself with a simulated product demo for Agari Phishing Defense