Published: June 26, 2022 on our newsletter Security Fraud News & Alerts Newsletter.
Business email compromise (BEC) is yet another effort by scammers to illegally use the identity of a company in order to gain something. This could be financial gain, but could also be to gather information. Often those who are doing BEC crime issue fake invoices or contracts to customers to try to get them to part with cash, believing erroneously that the requests are legitimate. And the targets of this type of crime are not the entry-level employees, but those who have something those scammers really want.
The targets? Often, they are C-Level executives, managers, those in the IT department, or anyone working human resources or the finance departments. That’s because they have what the cybercriminals really want: Access to the network, the money, or the financial accounts. Financial institutions are especially at risk of business email compromise due to the fact that they store huge numbers of email addresses of customers across a wide spectrum of industries.
Digital scams researcher, Crane Hassold from Abnormal Security, reported at the RSA Conference that total money lost to cybercriminals from BEC scams has exceeded that from ransomware attacks. Recent ransomware activity has caused financial intuitions and others to up their game when it comes to fighting the ransomware threat. Because of this, hackers are beginning to realize that the ransomware approach is becoming riskier as time goes by - and that the returns from ransomware attacks are ever diminishing. This has caused the same hackers that were engaged in those activities to change tactics. They have found that the malware they use can easily be used to obtain the email addresses that make BEC possible. Hassold noted that much of the malware used in various ransomware is sold as a service and built to be flexible. Those using it can modify it to suit their own needs, which works well for BEC attacks.
Watching out for BEC should be top priority for any business. Generally, we receive over 100 email messages per day. While there are perimeter tools in place to prevent some attacks from happening, there is nothing that can prevent all of these from occurring. It’s the end-user’s responsibility to watch for threats; especially phishing and other types of social engineering.
If you receive email with an invoice that seems not quite right, question it; even if it appears to be from someone you know. Ask a colleague to take a look and/or contact the vendor or service provider separately using information you have on file and confirm it. Don’t reply to those messages in email. Often, they just go right back to the cybercriminal you’re trying to avoid giving information to in the first place. If you’re asked to wire a large sum of money, make sure someone else takes a look first…even if it looks like it’s from the CEO. It could be from the CEO, but it may also be from someone pretending to be in that role.
The pivot towards business email compromise should be seen as part of the evolution of hacking activity. It is a fact that scams of this nature will continue to morph and change - they are not simply going to disappear. Corporations need to be ever vigilant and ensure that their data is secure.