Business Email Compromise (BEC) is a common scam in the corporate world, which results in the loss of millions of dollars every year. According to a report by the FBI, losses reached $1.77 billion in 2019, with an average of $75k loss per incident. Since BEC attackers use advanced techniques to target different financial institutions, we can prevent these attacks by implementing BEC security simulations.
As a responsible Application Security Assessments partner to leading financial organizations across the globe, the NST Cyber Threat Research team has created a short advisory article on BEC Trends, Techniques, and necessary awareness needed to prevent such scams. We encourage FinServ stakeholders to use this information to develop internal penetration testing in cyber security, awareness programs and BEC simulation exercises. If your organization is looking for a BEC simulation or consulting service, please contact us at firstname.lastname@example.org.
What is Business Email Compromise (BEC)?
BEC involves a criminal gaining access to business email accounts by imitating the owners’ identities. Cybercriminals mostly target organizations which regularly make wire transfers. Most BEC attackers conduct phishing attacks and email fraud to compromise the email accounts of senior-level officers. By misrouting wired payments, attackers can gather financial data.
Utilizing different social engineering scams, criminals persuade victims to download malware and click on infected links. These criminals include hackers, social engineers, and translators who engage in crimes like BEC. The aim of criminals is to own the funds stored in victims’ accounts by tricking them into making a payment in their favour; however, they do not target the victim’s bank account directly. Instead, they monitor and research their potential target organizations and victims closely to undertake a range of operations that we will learn about in the next section.
Different BEC categorizes
According to the Federal Bureau of Investigation (FBI), there are five categorizes of BEC fraud:
Fake invoice scheme - Companies that are involved in foreign deals are major targets in BEC scams, as criminals pretend to be foreign investors or suppliers and request fund transfers.
- CEO spam – BEC attackers act as the CEO of the company and deliver emails to employees asking them to send funds to the account owned by them.
- Account Compromise - This crime combines both the above tactics. Criminals send emails to individuals/ organizations with payment requests and invoices.
- Data Theft - Here, cybercriminals target HR professionals and bookkeepers to get personal and sensitive employee data, devising external attack surface management for the future.
- Attorney Impersonation – Falsely representing themselves as lawyers and other legal professionals, attackers rely on phones and emails to succeed in their attacks. In most cases, employees, having no knowledge of proper business communication, become victims of this attack.
- Tax threats - Some attackers pretend to be a tax collector. They pressure victims to send tax data of their organization. Due to the potential tax evasion risks, victims are forced to work on the instructions of attackers.
What techniques do BEC attackers apply to reach their targets?
- Malware - BEC criminals create malicious network security penetration testing to obtain data from the internal systems of a company. The malware enables them to look through authentic emails related to financial institutions and capture sensitive data.
- Spoofing email addresses and websites - Criminals create fake email addresses that appear legitimate and trick their victims to gain access to an organization’s sensitive data.
Spear-phishing – It is another trick where criminals deliver fake emails. They claim that they are reliable senders and request victims to disclose important information.
Most relevant factors to watch out for when avoiding BEC hacks
You can detect BEC scams and prevent any negative effects in different ways.
- Identifying the email sender
At times, large corporations receive payment requests directly from the CEO. In this case, senior employees must check the legitimacy and validity of the email address.
- Reason for choosing a wire transfer
Generally, BEC attackers target wire transfers to make financial gains. Hence it is advisable to verify a requestor’s identity and source before making payments through wire transfers.
- Requesting gift cards
BEC criminals use gift cards as a mode of crime. Hackers use redeemed gift cards from reputed companies to cheat individuals and organizations as they know that it is easy to transfer these cards and obtain a high amount of cash. Thus, you must validate every detail while sending some data.
- Creating a sense of urgency
Attackers can make you feel that they need money urgently; however, you must validate the information before committing to a financial transaction.
- Unusual email from the higher-ups
It is essential to verify emails received from any higher-ups asking for sensitive data or a change in payment details or the way invoices are processed.
- Non-organizational email sources
Before wire transfer, you must hold an application vulnerability assessment, i.e. check the email address and confirm if it has been sent through a legitimate organizational account.
Some ways to protect against BEC
- Set email security gateways rules to flag emails from domains similar to legitimate domain names.
- Create colour codes that differentiate internal employees from external senders.
- Verify payment methods with two-factor authentication.
- Use a phone to confirm financial requests.
- You must thoroughly examine all fund transfer email requests.
Use a proven technique of preventing BEC– The Business Email Compromise adversary simulation
The real-time BEC simulation is the most innovative way of avoiding BEC scams, as it aids in identifying the employees at risk of BEC scams. This method helps you eliminate cyber risks and protect sensitive, personal, and corporate data. Consequently, familiarising your employees with BEC simulation is crucial.
Moreover, you must create network access rules and hold cyber security penetration testing within your business environment, taking every measure to verify the authenticity of fund requests sent through emails. With these preventive measures, you can save your organization from BEC.
About NST Cyber
NST Cyber is an emerging leader in the Cyber Threat Management space. We provide a range of services such as cybersecurity testing, control validation, and defensive & detective security advisory to Enterprises. NST Cyber collaborates with several business verticals like banking and finance, oil and gas, retail, manufacturing, and healthcare to provide an up-to-date security vulnerability assessment and continuously improve resilience against targeted attacks using cyberattack simulation. With profound technical expertise and commitments, NST Cyber works with several esteemed Banks and FinServ companies to improve Enterprise-wide security posture and meet compliance requirements from regulators.