What Is Business Email Compromise and How to Stop it
Key Points:
- Business email compromise (BEC) is a scam targeting organizations with many suppliers and conducting wire transfers.
- BEC attackers heavily rely on social engineering tactics to trick unsuspecting executives and employees into executing a fraudulent wire transfer.
- The criminals hunt for your business email credentials to study how your business operates before launching the attack.
The FBI has sent a bulletin about business email compromise (BEC), which is becoming a more significant issue. The scam is becoming a huge concern because it exploits the fact that many businesses use email to execute their operations.
In the BEC scam, cybercriminals send fake email messages posing as:
- Your regular vendor sending an invoice with an updated email address
- Your company’s CEO asking an assistant to buy several gift cards to send out as employee rewards — the imposter might ask for serial numbers pretending they want to send them out right away
Several organizations unaware of business email compromise have been hit, some to the tune of $800,000. What’s more concerning is that the scam is an expensive proposition.
How Business Email Compromise Scam Works
Cybercriminals must first figure out how the victim’s business operates for a business email compromise to work. The best way to monitor a company’s operations is by accessing its email threads. To execute an attack, the attackers might:
- Send spear-phishing emails to a top executive in your organization: The email messages might impersonate a trusted person to lure the victim into revealing the business email credentials. The credentials will grant access to your company emails, calendar, accounts, and detailed data necessary to execute a BEC scam.
- Use malware: Alternatively, cybercriminals might use malicious software to infiltrate your company’s network and access legitimate email threads about invoices and billing. From the information, the perpetrator can craft convincing requests and messages that your financial officers or accountants can’t question.
Criminals can use malware to get unauthorized access to your system without detection and steal critical information such as business email logins.
With your email address and password, attackers will sit in your system and watch how your business operates. If you’re using hosted services such as Microsoft 365 or G Suite, hackers can exploit even more information.
The email credentials can allow the criminals to log into your accounts, look for clues about the upcoming wire transfer, or even create rules that forward email messages to them without your knowledge.
That way, attackers may begin to:
- Communicate with your vendors and customers
- Redirect payment to new accounts
- Submit invoices for significant amounts to be paid to their account
In most cases, businesses don’t know what’s going on until they get a call from one of their customers or vendors claiming to have made the payment, but haven’t received any of the product or service.
The Step-by-Step Process Attackers Take to Execute a Successful Business Email Compromise Scam
For a BEC attack to be successful, attackers get procedural, following four crucial steps.
Step 1: Identifying a Target
Cybercriminal groups start by identifying a target. Most begin with gathering information online about companies in the US and abroad. Then they build a profile of the organization and its executives.
Step 2: Grooming
After selecting a potential victim, the attackers send spear phishing emails or call the targeted company’s officials to lure them into sharing business email credentials. Most potential victims work in the financial department.
The perpetrators may then use pressure and persuasion and exploit the employee. If persuasion fails, they may try to plant malware into the company’s system to steal credentials.
Grooming might take a few days, weeks and sometimes months.
Step 3: Information Exchange
Once the attackers get email credentials, they sit in your network, observing how you execute business. The perpetrators will gather enough information to help them create legit-looking emails to lure your business into wiring money into their bank account
If the fake requests convince the staff in your finance department that they’re doing a legit business transaction, the criminals will provide wiring instructions.
Step 4: Wire Transfer
The scam gets successful once your finance department makes the wire transfer. Upon the transfer, the crime group will steer the funds to a bank account they control.
One local company got hit, losing $800,000. Another organization stopped the transaction because it looked suspicious.
The company was more old school and liked to work with faxes. When the organization received the new bank routing information to transfer money via email, they called the real vendor to verify the information, only to find out that scammers were trying to steal from them.
The Scam Is Turning into a Huge Problem
BEC scams often target businesses that conduct wire transfers regularly, have many vendors, and have large sums of money flowing through their accounts. The huge concern is that BEC scams cost businesses a lot.
Banks generally don’t cover email compromise as fraud because they can’t stop the transaction from happening. All a business can do when they fall victim is to approach their insurance company, if they have one, to try to recover from their loss.
How to Protect Your Business Against Business Email Compromise
While detecting a BEC attack can be challenging, your business can take several measures to mitigate risks, such as:
- Implementing Multi-Factor Authentication on emails: Multi-factor authentication adds a security layer to passwords. That way, even if hackers manage to get your email credentials, they’ll face another barrier that limits access to your business email.
- Training employees on how to spot phishing emails: The first step of a BEC scam is to get access to your email and observer your activity. Criminals mostly get access to your system by luring one of your employees into sharing logins. Creating cyber awareness within your company can stop the attack before it starts.
- Verify payment and purchase requests in person or through calls: Check if there’s any change in the account number or payment procedures to ensure the purchase is legitimate.
Alvarez Technology Group Can Help You Detect Email Intrusion and Prevent Potential Attacks
BEC attackers rely heavily on social engineering to execute successful scams. At Alvarez technology, we can help you detect and prevent email intrusion before the situation escalates to a BEC attack.
More importantly, we’ll keep your business on high scam alert by updating you about the latest tricks attackers are pulling on other organizations. Contact us today for more cybersecurity solutions.
