The FBI defines business email compromise (BEC, and sometimes called CEO fraud) as a “sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The E-mail Account Compromise (EAC) component of BEC targets individuals that perform wire transfer payments.”
From October 2013 to December 2016, BEC scams impacted organizations in 103 different countries worldwide to the tune of over $5 billion. Things didn’t get any better in 2017. According to statista.com, BEC scams cost an average of $67,000 per incident.
Whether you’re an executive or an accountant or a personal assistant, it’s imperative that you know what this scam is, how it works, and what you can do about it.
How BEC Scams Work
Gaining and abusing trust is the key element to almost every scam. In the case of BEC, the attackers use your acquaintances against you.
For example, imagine you receive an email from a good friend or family member asking you to wire money to help pay for a sudden medical procedure. How likely are you to engage and comply with the request?
Now imagine that same scenario in a corporate environment. But this time, it’s your boss asking for a copy of every employees’ tax information. What do you do?
In both cases, the request could come from a fraudulent source who successfully compromised the email address of someone you know. Let’s take a step-by-step look at how this scam works:
Step 1: Gather Intel
Fraudsters often spend weeks or months gathering information about their targets. Things like full names, addresses, hobbies, appointments, etc. can pave the way to gaining their victim’s trust. Once a scammer has trust, he has a dangerous advantage over his targets and can launch spear phishing campaigns to gather even more information.
Step 2: Spoof Emails
Spoofed email addresses of CEOs and other executives are often the reason BEC attackers find success. If you want to learn how email spoofing works, this article does a good job of explaining it. But the important thing to know is this: once an address has been spoofed, the attacker can impersonate the owner of the address and target the owner’s contact list.
Step 3: Phish Employees
By impersonating the CEO, for example, the attacker can send a request to the HR or financial department to wire money to his account or gather personally identifiable information of an entire organization. Since the email appears to come from someone the employee knows (the boss), the employee is much more likely to comply with the request, often without even a second thought.
How to Survive BEC Attacks
In addition to standard security practices like strong passwords, firewalls, and antivirus software, here are six ways to survive a BEC attack:
Identify High-Risk Individuals
High-risk means high-level access. The more access an individual is granted, whether it be financial approvals or access to sensitive information, the bigger the target that individual becomes. C-levels, executives, upper management, members of HR and accounting are all top targets for BEC scammers. Auditing who has access to what is Security 101.
Participate in Security Awareness Training
It goes without saying that you need to train employees and routinely update them on matters of information security. Most of them probably would never consider that an email from their boss could be a phishing attack. It’s imperative that they not only are aware of this scam, but that upper management, C-levels, and executives are aware of it and also participate in awareness training. Participation from management nets two positive results: it sets a great example for everyone within the organization, and it collectively improves your organization’s security posture.
Encourage a Culture of Transparency
You want your employees, if they feel something is off or incorrect, to know that they can come to you without hesitation. Many of the scams can be interrupted with a simple confirmation phone call. But employees are often under pressure to perform their duties and not question management. By encouraging a culture of transparency, you effectively empower your employees and co-workers to speak up if they’re unsure of something, rather than just making assumptions.
Be Extra Cautious on Social Media, Especially if You’re in Management
Data mining makes spear phishing possible. Social media provides an especially fertile ground for data mining since people tend to post information that could specifically identify an individual. Your address, your family, your friends, your hobbies, the type of car you drive, the type of dog you have… all of this useful information helps cybercriminals launch successful spear phishing attacks. In general, share less, upgrade the security and privacy settings of each account to the max, and only friend people you know.
Use the Four-Eyes Principle
The four-eyes principle, or two-person concept, is simple: require two people to sign off on any transaction that includes the transfer of money or highly sensitive data. Similar to a bank requiring two keys from different people to open a vault, organizations can implement this as a part of their authorization process and effectively eliminate spoofed requests for money or info. The implementation process may not be simple or even possible for certain organizations, but it’s at least worth considering if you coordinate wire transfers regularly.
Consider Investing in Cyber Insurance
The tricky thing about cyber insurance, like most insurance policies, is it’s only useful after serious mistakes occur. Insurance can’t protect your organization from cybercrime, but it can help mitigate the damage by offsetting costs. As mentioned earlier, the average price of a BEC incident was $67,000 last year. Consider that when budgeting for your cyber defense program. Do some research and find out if cyber insurance is worth it to your organization or fits within your policies.
Latest posts by Justin Bonnema (see all)
- Why Personal Security Is Important to Awareness Programs - February 11, 2019
- Data Privacy Day and You - January 24, 2019
- Account Compromised? What to do After a Data Breach - January 17, 2019