One of the most dangerous cyberattacks to target small businesses in recent years is Business Email Compromise, or BEC.
A typical BEC scam attempts to trick an employee into wiring money to the attacker’s bank account. A single email can steal $1,000 to $500,000 in less time than it takes to read this blog post.
BEC scams brought $360.5 million in losses in 2016 – more than any other type of internet crime – as reported in the 2016 Internet Crime Report from the FBI Internet Crime Complaint Center (IC3).
Despite inflicting the most damage, BEC scams numbered far fewer than other internet crimes in the report.
Victims reported more than twice as many personal data breaches and more than six-times as many non-payment/non-delivery crimes.
How can hackers manipulate such a small number of people to hand over such vast sums of money? With a well-crafted, targeted scam email.
What is Business Email Compromise?
Business email compromise typically involves an individual impersonating an authority figure and asking an employee within the targeted business for sensitive data, money, or both.
The traditional BEC scam, according to IC3, impersonates a foreign business supplier. Attackers either compromise a business email account at the supplier or spoof the supplier’s email address and style.
The attackers then email the target, usually an employee who is authorized to transfer funds. The message is crafted to closely resemble a legitimate wire transfer request, even down to the timing.
The attacks don’t usually rouse suspicion because they are almost identical to an authentic request. They use the same kind of language and request the same amount of funds as a normal transaction.
More Types of BEC Scams
One of newest forms of business email compromise has surged since the 2016 tax season, according to the IC3 report. It uses a compromised executive email account to request personally identifiable information (PII) from an employee.
These attacks are even harder to detect since they appear to come from a legitimate source. Who would think twice about handing over W-2 information to their CEO?
Hackers compromise an executive’s email, usually personal, either by spoofing the address or by breaking into the account itself, where they send a carefully drafted email that reads in the same voice as the executive.
This new BEC scam is even more believable than its popular counterpart.
In fact, in their complaints to IC3, victims reported that while they could spot a fake wire transfer request from an outside business, they still fell for a spoofed PII request that was supposedly from the CEO.
BEC Scam Examples
Steve Ragan of CSO compiled a list of 41 successful BEC scams that occurred in the first quarter of 2016 alone, as publicly disclosed by the victims. Nearly all of these attacks compromised W-2 information.
Hackers have also compromised executive email accounts to request wire transfers from a targeted employee, with similar results.
Ameriforge Group Inc. found themselves in this exact situation when a fake email supposedly from the company’s CEO duped an employee into wiring $480,000 to a bank in China.
Other ways hackers are taking advantage of employees is by pretending to be lawyers who are in need of a wire transfer due to their work with confidential information, according to the IC3 report.
These requests are usually sent at the end of the business day and are urgent in nature due to their timing.
Thinking the situation is an emergency could easily trick an employee into thinking the request is legitimate.
Avoiding Business Email Compromise
Always confirm requests that arrive via email for wire transfers and large amounts of sensitive data. Call the person who supposedly made the request or speak to them in person.
Also review such emails carefully. Compare the email address to the address used in similar correspondence from the past.
Does the email try to pressure the employee? Does it suggest the request is an emergency and must be fulfilled immediately? These are red flags.
More tip-offs that an email may be a BEC scam, according to IC3:
- Requests from an open source email address (Gmail, Yahoo, AOL, etc.)
- Use of phrases such as “code to admin expenses” or “urgent wire transfer”
- Requests may line up with actual executive travel dates
- IP addresses tend to trace back to free domain registrars
- Any requests for major changes in communication
Technical ways to reduce the likelihood that a spoofed email reaches an employee’s inbox include enabling digital signatures. Multi-factor authentication can also protect email accounts from compromise.
Report BEC Attacks
Contacting your company’s bank immediately after you identify a business email compromise can help your company identify where the funds went.
Working with the FBI, especially if the breach is recent may help your company in recovering funds lost.
The IC3 can also help in figuring out the who, what, when and where’s of the attack.