Did you know that business email compromise losses reported in 2021 totaled $2.4 billion, according to the Internet Crime Report released by the FBI’s Internet Crime Complaint Center (IC3)? Email is the most mission-critical application we use, and it is the single largest attack surface out there. Hackers know it, and they have and will continue to take full advantage of it.
What is a BEC Attack?
Business email compromise (BEC) or email account compromise (EAC) is a type of email cybercrime scam in which an attacker targets a business to defraud the company. BEC has become one of cybersecurity’s biggest threats that targets organizations of all sizes across every industry around the world.
The FBI’s IC3 report revealed that BEC remains a lucrative affair for cyber crooks and is “62 times more lucrative than ransomware.”
Growing Prevalence of BEC
There are almost 320 billion email messages sent worldwide every day. With over 4 billion email users, e-mail security risks are increasing at an alarming pace. The attack vectors continue to multiply, making email a popular target for the bad guys. In fact, 91% of all cyberattacks begin with a phishing email, and 95% of all network intrusions begin with a spear phish? These are the methods that the bad actors use to breach or infiltrate networks. Attack vectors can take many different forms, ranging from phishing, spear phishing, malware and ransomware, and compromised credentials, just to name a few.
Social engineering is a close cousin to business email compromise. It involves email or other communications that invokes urgency, fear or similar emotions in the victim. The goal of social engineering is to lead the victim to promptly reveal sensitive information, click on a malicious link or open a malicious file. It is amazing that 94% of reported emails rely on social engineering instead of embedding or linking to malware.
These cyber threats have become more prevalent and significant for many businesses. Take a look at the numbers:
- 85% of organizations around the world have combated phishing attacks in the last year.
- About 70% of cyberattacks and 22% of data breaches involve phishing emails.
- 96% of social engineering attacks are delivered via email.
With 32 million fraudulent emails impersonating trustworthy domains – like Microsoft, Amazon, Google and Facebook every day of the week – that is a rate of 1.3 million per minute!
Consequently, all businesses regardless of size must develop methods to mitigate increasing risks to e-mail security.
The Role of Training to Prevent BEC
Oftentimes, the weak link in the security chain is the untrained user. Most individuals do not realize that e-mail is not a secure communication medium by default. This is why security awareness training is key to minimizing the threat of business email compromise and social engineering.
Organizations should accompany training with simulated phishing attacks. This puts the user in the driver’s seat to see how they will react to incoming phishing scams. If the user clicks on the simulated phishing campaign, they are directed to just-in-time remedial training to provide them with additional information on how to identify a phishing attack in real life.
Don’t Overestimate Employees’ Understanding of BEC
In GLS’s work with organizations around the world, we encounter a wide variety of situations in which BEC has occurred. Our clients are often surprised at how little some employees know about cybersecurity and the many ways fraudulent emails can appear.
One such company experienced a 500K BEC attack. The company discovered that a long-time employee in the Finance department had received an email from who he thought was the company’s CEO. The email stated that a wire transfer had to be released by 3 PM that day and that the CEO was at a golf outing with clients and could not be interrupted. The message instructed the Finance employee to make sure the wire transfer was completed on time. As a responsive employee, he processed the transfer – only to find out later that the message was a scam.
Because this individual was a valued employee, he was spoken to by his manager and HR and allowed to remain in his position. In addition, he was provided with additional information on phishing and business email compromise scams. A few days after his training was complete, the company sent him a targeted simulated phishing email. Not only did this individual fall for the attack and click on the link in the email, but he also entered his credentials. As you can guess, he is no longer employed by that organization.
How BEC Works in Real-World Settings
BEC scammers prey on curiosity, current events, fear of missing out and anxiety. They begin by spoofing an email account or a website. Think about the slightest variations on legitimate email addresses and how they can fool victims into thinking fake accounts are authentic.
Fake messages look like they’re from a trusted sender, and they are used to trick victims into revealing confidential information. That information enables criminals to access company accounts, calendars and data that gives them the details they need to carry out the business email compromise schemes.
In practice, a scam could look like these examples:
- A vendor your company regularly deals with sends an invoice with an updated mailing address or updated wire transfer information.
- The company CEO asks her assistant (via email) to purchase dozens of gift cards to send out as employee rewards. She asks for the serial numbers so she can email them out right away.
- A homebuyer receives a message from his title company with instructions on how to wire the down payment.
Once the phishing scammer gains access, they love to use malicious software (malware) to infiltrate company networks and gain access to legitimate email threads about billing and invoices. That information is used to time requests or send messages so accountants or financial officers don’t question payment requests. Malware also lets criminals gain undetected access to proprietary data, including passwords.
What If You’re a Victim of BEC
If you fall victim to business email compromise, it’s important to act quickly:
- First, notify your manager and/or HR department.
- If you’re an individual whose personal email has been breached, contact your financial institution and alert them of the nature of the breach for further assistance.
- Whether organization or individual, make sure the incident is reported to the FBI. You can contact your local field office to report the crime and/or file a report with the FBI’s Internet Crime Complaint Center.
Safeguard Against Business Email Compromise
How can you protect yourself (as an individual) from falling prey to BEC attacks? First and foremost, everyone needs to be careful with information they share online and on social media. Adopt these important security practices:
- Stop answering random questions and polls on social media (your first pet’s name, the first street you lived on, your first car, or a school you attended, for example). You are providing scammers information so they can guess your passwords or try to answer your security questions and gain access to your accounts.
- Don’t click on unsolicited emails, or text messages asking to verify your account information.
- Contact the company directly using the phone number on the back of your credit card or a statement.
- Carefully examine the email address, web address and spelling in the correspondence.
- Be careful what you download.
- Never open email attachments from someone you do not know.
- Use strong passwords.
- Set up two-factor authentication on all accounts that allow it.
- Be especially wary if the requestor is pressing you to act quickly – this is a big red flag.
- Don’t be afraid to call a person and ask “did you send me this email?”
- Never access emails, pay bills or shop online from a public wi-fi.
Protecting organizations from email-based attacks is ultimately a collaboration between all levels of an organization. Remember these important factors:
- A successful security awareness program comes from the top down. Once you have CEO endorsement, it will flow down to all of your managers and employees.
- Education is critical, because your employees need to understand why cybersecurity is so important. They have a role to play to protect your organization and your brand.
- Up the frequency of security awareness training. Only 23% of organizations provide cyber awareness training to their employees on an ongoing basis, and 87% offer it only once a quarter. That is way too infrequent! Employees who receive consistent security awareness training are five times more likely to spot and avoid clicking on malicious links.
Sharpen Your Defenses with BEC Training
Global Learning Systems offers tailored business email compromise and anti-phishing training to meet the needs of your organization. We take companies beyond just “checking the box” for training compliance. Our cybersecurity training professionals customize your security awareness training program, so it reflects your policies, priorities and leadership messaging. We also offer custom course development and a fully managed service solution for cybersecurity training and phishing.
For individual email users who do not have access to organizational employee training for business email compromise, GLS recommends visiting the AARP’s Fraud Watch Network. This free resource – with dozens of videos and tip sheets on how to recognize and avoid common scams – is available to everyone.