Business Email Compromise (BEC): Protecting yourself and your business from online scams
by Kory Underdown on May 19, 2022 12:00:00 AM
Are you and your company vulnerable to business email compromise (BEC) attacks?
Business Email Compromise is a scam or attack from online criminals in an attempt to defraud a company for thousands, sometimes even millions, of dollars by targeting their email systems.
Consider these 4 facts about BEC that might surprise you:
- The FBI’s Internet Crimes Complaint Center reported U.S. businesses were subject to over $2 Billion in losses from BEC crimes between 2014 and 2019
- Those numbers have skyrocketed since then, reaching a staggering $1.8 billion in losses in 2020, then $2.4 billion in 2021. During this time, there was a nearly 65% increase in the number of complaints filed
- Not all scams are reported, and the number of attacks and attempts at BEC scams are likely much greater
- With the massive increase in virtual business, meetings, communication and financial transactions, BEC attackers continue to find new ways to exploit and infiltrate businesses
Types of BEC Attacks
BEC attacks can appear in many forms. They almost always target an individual in an attempt to collect important or confidential internal data. It might also involve posing as an executive or client to trick an employee into invoicing or wiring money directly to the scammer.
Are you prepared to defend against BEC? Let’s take a look at the most common forms of Business Email Compromise: Malware and email phishing.
Malware is the oldest trick in the email compromise book. Malware has been used by cybercriminals for decades with a long list of motivations, including data breaches, remote system control, wire transfers, and even ransom.
Malware, also known as malicious software, is a piece of software designed to gain access to or damage a computer or network’s systems. In the case of BEC, it may appear as an email attachment or a link that takes you to an automatic download intended to cause harm.
Example: A scammer sends an email that says “Hi Riley, I manually updated the data tables for Q3 and attached the file below,” with a fake spreadsheet file attached to the email for the victim to download. This download gives the scammer access to the business network, threatening the security of the organization.
How to prevent malware attacks at your business:
- Avoid clicking on suspicious links or unknown file types and train your team to take these same precautions
- Use anti-malware or malware detection software on all computers within your network
- Secure your accounts with strong passwords and multi-factor authentication (2FA)
Spoofing and/or Phishing Emails
Another common method of BEC attacks is spoofing/phishing emails. Chances are, you’ve received at least one phishing email in your lifetime, if not many more.
Spoofing attacks are when the sender impersonates a trusted sender in an attempt to infiltrate accounts, internal systems, or gain access to confidential data (and sometimes even Amazon gift cards). These types of BEC attacks are often a series of emails attempting to gain trust and become more familiar before attempting to initiate the BEC scam.
Example: You receive an email that appears to be from someone who works in your finance department, asking you to change the payment information on an invoice and send payment out ASAP. These will typically appear to be a real email from an authentic sender.
The first step to avoiding phishing emails is learning how to identify some of the following common “red flags”:
- Misspellings, odd capitalizations, and strange grammar choices
- Asking for sensitive information with very little context
- Hurrying or pressuring language
- Discrepancies in the email address or the sender’s name
- Low-resolution company logos and non-standard email signatures
How to identify spoofing and/or phishing attempts:
Constant vigilance! It never hurts to have a healthy amount of suspicion. If any of these boxes are checked, especially if you’re receiving the request seemingly out of the blue or aren’t sure why you’re being asked, take the following precautions:
- “Mouse over” the sender’s name to reveal the full email address. It might be an email address/domain that you don’t recognize or is slightly misspelled (Bradly-Robinson@email.com instead of Bradley.Robinsion@yourcompany.com)
- If you believe someone is being impersonated, reach out to the supposed sender through other channels like Slack, text, or even an in-person meeting. Avoid using contact information from the suspected fake email
- Contact a co-worker in the same department or who works closely with the person to verify
- Request additional information or some form of verification from the sender
FAQs: (Almost) Everything Else You Should Know About BEC
Question: Who is most vulnerable to Business Email Compromise scams?
All businesses are at risk of being targeted by BEC scams, but most commonly individuals that work on executive teams and in financial departments. Scammers may also target:
- Small businesses using electronic transactions or wire transfer
- Large Enterprises where all employees might not know each other
- Mid-sized businesses that commonly work with vendors/contractors and frequently write invoices
Question: What are common defenses and ways to identify potential BEC scams?
If you believe you are being targeted by a BEC scammer you can try some of the following steps to check their legitimacy:
- Verify the Email address/sender
- Verify files/downloads before clicking
- Examine URLs/links closely
- Be aware of strange or pressuring language
- Verify purchase requests or invoices in person/through other channels
Question: What are some other ways I can prevent BEC scammers from attempting to contact me and protect myself if they do?
Some other tips to passively protect yourself and your email from BEC attempts are:
- Utilize DNS security that can block phishing links
- Use multi-factor authentication (or 2FA) for your email
- Third-party malware detection software or browser extensions
- Keep updated, strong passwords
- Keep updated address books/directories for vendors and contacts
- Avoid sharing personal information publicly that could be used as security questions or password resets
BEC scams have been reported in all 50 U.S. states and 177 countries worldwide. As companies continue to transition to virtual meetings and online transactions, the frequency of Business Email Compromises increases as well—that means you should be taking extra precautions to protect your business.
DNSFilter protects thousands of companies across the world from BEC. See how it works with a 14 day free trial.
The impending Cisco Umbrella RC End-of-Life has many Umbrella users concerned about their next steps and questioning which protective DNS solution might be able to fill the gap for their organization.
Industry State of the Art
This month there was a high level of focus on compliance issues spanning several focus areas from governments and oversight agencies around the world. And while there were actions taken with regard to specific vulnerabilities, a larger spotlight was placed on bigger picture security considerations in a more general context.
TL;DR: SASE is broadening—it is about more than just access! It is about endpoint protection and user-based access…and it's called Security Service Edge (SSE). All of the aspects of the joint NSA and CISA guidance on Protective DNS (PDNS) and user-level policies are part of the secure category, originally launched by Gartner in January 2022. Regardless, it’s been interesting to see the NSA and CISA create guidance recognizing the breadth of cyber...