Published: May 29, 2020 on our newsletter Security Fraud News & Alerts Newsletter.
According to the FBI, the price tag of business email compromise (BEC) attacks have almost tripled since 2016. The Internet Crime Complaint Center (IC3) reports BEC cost businesses more than $1.2 billion last year–and that’s just the attacks that were reported. BEC scams are highly targeted email attacks created to steal funds, which can mean the end of some companies. Research shows that 60% of small-to-medium size businesses close their doors within six months of a cyberattack, and BEC scams are the growing reason behind that statistic. Protecting client data from harm should be part of any cybersecurity plan but protecting a business from ruin should also be part of that plan. While hackers continue getting smarter and more effective, finding a BEC before it’s too late takes knowing what to look for and how they work.
BEC attacks start with email phishing, usually highly targeted socially engineered emails. Hackers research potential victims by using social media to gather information allowing them to send laser-focused emails, and company websites are a goldmine of BEC information. Finding employees who work with company finances are particularly targeted.
BEC attacks trend over time, with the focus currently on “vendor email compromise.” Scammers pretend to be part of a company’s supply chain. The emails claim to be from a vendor who requires quick payment of an invoice. They also provide a different account number than usual to deposit funds, a set-up to make a payment directly into a scammer’s bank account.
91% of BEC attacks happen on weekdays, usually sent around 9am and meant to blend into a regular business day. Most attacks target an average of six people, with some reaching up to 25 employees. Information gleaned on social media, including real names and positions, departments like human resources and finance are all used to appear legitimate. Research shows when attackers impersonate someone in a position of authority, email click rates triple.
BEC attacks are successful because they look like the usual email’s employees get daily.
They generally go after a large sum of money in one transaction, so hackers don’t mind doing their homework to have an email appear “normal.”
8% of BEC attacks involve payroll requests, 47% are sent from Gmail accounts, and 3% have a fake URL or malicious attachment.
Typosquatting is another BEC tool. Hackers create websites and URL’s that closely match the intended URL. There’s a hacker waiting for an employee to make a slight typo in the web address.
That misspelling sends them to a look-alike website created to steal payment and other sensitive data and disappear in an instant.
How to Prevent a BEC
Always require additional layers of authentication, especially when finances are involved. 2FA (two-factor) and MFA (multi-factor) requirements can ferret-out cybercriminals and stop a BEC in its tracks. Whenever possible, also use face-to-face authentication.
There’s no substitute for employee education, including ongoing updates on the latest trending scams. It can stop a BEC scam from being opened and acted upon. Consider specialized training for those who work with finances.
For typosquatting BEC scams, consider security services that automatically purchase all domain names ripe for typosquatting. This can stop an attack before it starts. Cybercriminals typically spend 15-30 minutes on a scam, and such services can foil a hacker looking to Typosquat, sending them onto a different victim.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at email@example.com