Through email scams, tech-savvy criminals can obtain sensitive information with the goal of stealing money or identities. These perpetrators usually lure victims with real-like websites where they will gain access to details like login credentials, personal information, and even credit card data.
Research shows that employees receive 14 malicious emails on average per year, with some sectors getting hit particularly hard such as the retail industry. Over 70% of targets open these phishing emails, resulting in great losses. For instance, the average cost for small and midsize organizations to recover from such an attack is $1.6 million.
Unfortunately, more than 77% of businesses lack a response plan for cybersecurity incidents. Enterprises must be educated on phishing schemes, especially business email compromise (BEC), to help spot and prevent them.
What is Business Email Compromise?
Business email compromise (BEC) is a form of cybercrime that involves a scammer using an email to deceive a victim into sending money or disclosing sensitive company information. A BEC scam starts with the attacker assuming the identity of a reliable person within your company. They would then demand payment for a bogus bill or access to private information, which they could use for another scam.
Companies that use wire transfers or have international suppliers and employees are the typical targets of BECs. Since there’s a continuous increase of remote workers across the globe, BEC remains a growing issue affecting businesses of all sizes and sectors. During the first half of 2022, 11,395 incidents of BECs were reported, amounting to $12.3 million in losses.
In the 2021 Cost of a Data Breach Report from International Business Machines (IBM), companies spend an average of $4.24 million to compensate for and fix such issues, making phishing one of the most expensive attack vectors.
To further understand BEC fraud, here are five types you should watch out for:
Scammers pose as the vendor and send a bogus bi
1. Account compromise
The attackers use malware or phishing to access a person’s email account. Once hacked successfully, they send fake invoices to suppliers or anyone this person is affiliated with, then ask for payments to their fraudulent bank account.
2. CEO fraud
The bad actor assumes the role of the CEO or another executive of the organization and frequently emails someone in the finance department to request money transfers into their accounts. Other employees may also receive emails from them with instructions to make a purchase and send confidential information.
3. False invoice scheme
ll that resembles a genuine one before asking for fund transfers to their fraudulent accounts. Sometimes, they might even say your bank is under audit to convince you to send money to another bank.
4. Lawyer impersonation
A scammer disguises as a lawyer or legal agent through unauthorized email account access, sends invoices to a client, and requests online payments. These threats target lower-level employees because they usually don’t question the request’s legitimacy.
5. Data theft
In this attack, scammers focus on the human resource (HR) division to steal data from a company. They go after personal details such as an employee’s schedule and contact information, which attackers use for other schemes and BEC scams.
How Does Business Email Compromise Work?
Since a BEC attack doesn’t involve malware or malicious URLs detectable by traditional cyber defenses, it’s more challenging to identify and time-consuming to address. Conversely, attackers craft their crimes using social engineering tactics like impersonation to deceive their victims.
To better detect and prevent this scheme, it’s crucial to understand how it works from start to finish.
Phase 1: Determining targets
Attackers start by compiling a list of emails they want to target. This step involves searching through databases of corporate emails, mining LinkedIn profiles, and browsing different websites to find contact details.
Typical targets include executives, finance members, HR managers, and entry-level employees. Scammers go after individuals who have the deciding power for the company, have access to confidential information, or are easily manipulated.
Phase 2: Grooming
Contrary to mass phishing attacks that use a ‘spray and pray’ strategy, cybercriminals make BECs appear legitimate. They practice domain spoofing or build lookalike domains to look genuine and gain their victims’ trust over a few days or weeks. In some cases, attackers may resolve to pressuring and manipulating a person for their benefit.
Phase 3: Exchanging information
Scammers pose as part of the company to further gain the victim’s trust. When convinced, they’ll engage in the transaction the attacker is going for. At this point, emails requesting immediate responses are prevalent.
Phase 4: Disbursing payment
The final step determines whether the BEC is successful. The victim may follow what the cybercriminal asks them to do, such as a wire transfer or payment disbursement, which would give the attacker financial gain. A transaction also leads to a data breach that perpetrators could use for other fraudulent schemes.
How to Prevent Business Email Compromise
There are many identity management solutions and other tips to prevent these attacks from harming your company and employees.
1. Conduct employee training
The best defense in any cybercrime is awareness. As a manager, ensure your employees are well-educated about cybersecurity best practices. These involve examining email addresses and URLs, never downloading attachments from unknown senders, limiting information shared online, and calling individuals to confirm account verifications.
Your company should regularly conduct orientations or refreshers to keep staff members aware of BECs and other emerging online scams.
2. Verify payment and purchase requests
Online financial transactions are tricky due to scammers. It’s best to be skeptical about them, especially those with short deadlines, unusual purchase requests, and new banking details. Any demands without proper authorization should also be deemed suspicious.
To prevent issues, implement a secure payment platform rather than emailed invoices. If there are new payment details, it’s also best to authenticate them with the person receiving the fee via a phone call.
3. Be smart with your passwords
It’s important to use varying passwords for each account and make them strong by including capital and lowercase letters, symbols, and numbers. Avoid common character substitutions, and instead, create extra-long passphrases that can counter brute force attacks.
4. Use necessary tools and keep them up to date
As part of your defense, allow spam filters to help lessen contact with suspicious emails and block access to blacklisted or malicious websites. Performing system checks and observing security alerts boost security, and using firewalls and anti-virus tools aids in counteracting malware infections. As you use such tools, keep them updated to warrant their safety features.
5. Set up multi-factor authentication
Multi-factor authentication (MFA) reduces your chances of BEC and other cyberattacks. It serves as multiple levels of protection, bypassing hackers who try to access your email or personal accounts. MFA requires you to input three or more verifications, such as passwords, security questions, biometrics, and facial recognition, to confirm one’s identity.
Rising above Business Email Compromise
Although technology has brought countless benefits, numerous cybersecurity threats come with it. Schemes like BEC put organizations and individuals at risk of losing money, identities, and reputation. However, there are many ways to prevent these, and it starts by checking your policies in place and integrating the necessary solutions.
Maximize your corporate and personal security, and partner with Q5id today! Q5id offers a proven identity solution to give you and your organization the shield it needs against cyber fraud and more. We have a team of security experts that ensure you get the optimum protection you deserve.
Check out how our technology works, or contact us to learn more.
"*" indicates required fields
