What is BEC? Business Email Compromise (BEC) is a type of email cybercrime scam, or a phishing attack, to be precise, in which an attacker aims to trick employees into harmful actions to defraud the company. BEC scams have been on the rise, and it is one of the most damaging and expensive types of phishing attacks, targeting all industries worldwide. It has been established that BEC attacks cost billions of dollars each year. How does a BEC attack work? A BEC attack is designed, so the recipients feel compelled to trust the attacker, typically someone in a position of authority like a boss or trustworthy person like a colleague. Rather than targeting a more significant number of people and giving away the ease of detection, it operates at an individual level where there are greater chances of going unnoticed. The sender may ask the recipient to make a wire transfer, exploit the payroll data, or change bank account details for future payments. BEC attacks can often go undetected because they do not use suspicious URLs or malware that can be identified with standard cyber defences and knowledge. On the contrary, they rely on techniques such as impersonation to trick people into interacting on the attacker’s behalf. Another social engineering technique used in BEC attacks is domain spoofing, where an attacker can fake an email’s domain name and sender address to make it look reliable and familiar. Lookalike domains are another example, where the character names can easily be confused and overlooked. The complicated technology involved in these techniques makes it even more challenging to diagnose a BEC attack. The most common goal of an attacker through a BEC attack is to convince the target to send money while believing that they are performing a legitimate or harmless and authorized business transaction. Types of BEC attacks: According to the FBI, there are five basic types of BEC attacks:
- Account compromise: This type of BEC attack takes advantage of an employee’s compromised email account to gain access to the network. Once trusted by the recipient, the attacker then requests invoice payments from customers after changing the payment details to the attacker himself. Payments end up making their way into fraudulent bank accounts in this manner.
- CEO Fraud: This type of BEC attack exploits the power dynamics within an organization. The sender poses as the CEO himself and sends an email instructing the recipient to take some action. Generally, this action is aimed at the firm’s finance team to make a wire transfer into supposedly legitimate bank accounts.
- False Invoice Scam: Phishers target foreign suppliers through this tactic. They pretend to be vendors and request payments for services offered to the company. The attacker will fake the template but change the bank account details to divert the funds into a fraudulent bank account.
- Attorney Impersonation: This attack occurs when an attacker poses as a legal representative or a lawyer. The idea is that middle or lower-level employees are likely to get swayed and act on the directive of a person holding legal power and position. To prevent verification or cross-questioning, these attacks are often made to appear time-sensitive and confidential.
- Data theft: Not all BEC attacks are aimed at financially defrauding a company. Phishers attack the HR and finance department personnel to steal sensitive information about company employees. This information can be leveraged for planning and executing future attacks.
- Anti-phishing protection: Since BEC attacks are realized using phishing techniques, a good anti-phishing solution is a possible way to combat such a phishing attack. The anti-phishing software should identify red flags in an email, and machine learning techniques should be used to analyse email language indicating an attack.
- Senior employees asking for unusual information: Employees tend to naturally respond promptly to requests made by a CEO or senior in a firm, but it is worthwhile to pause and reconsider the intent and logic behind certain requests being made.
- Alertness against requests prohibiting communication amongst colleagues: Imposter emails often ask the recipient to maintain confidentiality or communicate with the sender only via email. This red flag should be responded to with alertness and caution.
- Language inconsistencies and issues in date formats: Some malicious emails have poor grammar, broken English, and use different date formats, which suggests a non-native speaker types the email.
- Employee education: Employees should be trained and aware of raising alarms upon citing any irregularity around them. Regular Email & Phishing security awareness programs should also be arranged as a training method. This will help minimize the threat of this phishing scam.
- Slowing down: Attackers tend to make their goals time-sensitive, around the busiest time of the day. HR personnel, for example, are less likely to pause when seeing anything alarming when they are going through emails quickly to achieve efficiency. Suspicion should be raised immediately, and requests should be viewed with caution and patience.