Business Email Compromise (BEC) breaches are turning into the go-to strategy for cybercriminals. The FBI’s Internet Crime Complaint Center (IC3) reports that Business Email Compromise (BEC) schemes within the U.S rose to nearly $2.4 billion in 2021, up 33% from the previous year and up tenfold since 2015.
These attacks typically begin with a security breach of some sort – an unpatched system, an unaddressed vulnerability, or a phishing email that someone clicks on. Once the perpetrators are inside, they then rely on spoofing emails that impersonate executives, financial personnel, CEO, vendors, or partners. The goal is to request what appears to be legitimate business payments from authentic-looking emails from a known authority figure. Done well, employees comply without thinking and transfer large sums of money to an untraceable account.
Example: The CEO is in Asia working on the latter stages of an acquisition. A BEC scam might involve sending legitimate-looking emails from actual corporate email addresses (or addresses that look similar to legitimate email accounts). These messages give authorization to transfer funds NOW to a certain bank account. But it isn’t always money. Sometimes the goal is to steal an employee’s personally identifiable information, or wage, financial, or tax forms.
Nail Salon Scammer
The owner of a nail salon in California scored big with BEC by tricking a public school district in Michigan into wiring its monthly health insurance payment to its bank account. $2.8 million was stolen. Banks managed to recall about half of it.
Investigators discovered that a hacked HR identity began the event. By masquerading as the HR staffer, the person convinced the finance department to send the money to a new account. But the plot thickens in this case. The nail salon owner claimed someone in Europe convinced him to accept the funds and forward them to other accounts. The FBI countered that this is a ruse to escape conviction.
In other examples, major deals have been hijacked by scammers. A U.S. nonprofit was fooled into sending an approved grant for $650,000 to a fake account. Again, email phishing was the culprit. The email of someone in accounts was taken over by a thief, and wire details were changed at the last minute. The money went to an account in Texas and was moved on from there. Law enforcement actions to date have failed to locate the money or bring the perpetrators to justice.
Further BEC tactics utilize “deep fake” audio and video messages generated by artificial intelligence that pretend to be from executives, enticing subordinates to sending funds.
In many cases, criminals hack into corporate systems months before, using known but unmitigated vulnerabilities. They then sit tight, quietly monitor traffic, and note the best opportunity. As a deal is unfolding, they take control of an email account, send an urgent request to someone in finance, and divert the funds to the wrong destination. By the time the scam is suspected, typically the next day, the money has disappeared.
Even the federal government can fall for such tricks. The U.S. State Department was another recent target. $200,000 allocated to farmers in Tunisia was redirected to who knows where.
What to Do to Prevent BEC Attacks
To prevent this happening to you or your organization, employee education is vital, particularly about phishing and other social engineering trickery. Multi-factor authentication is another important element.
Specific to BEC, warning signs include sudden urgency injected into financial transfers, requests to use new accounts, or email addresses and domains that are almost, but not quite right. Scammers often set up fake websites and email addresses that look genuine until you look more carefully. Where money or major changes are involved, always verify using another communication method than email.
The Power of Syxsense
And back up these sensible actions with comprehensive Unified Security & Endpoint Management (USEM) protection. Syxsense Enterprise can detect and remediate breaches automatically. It can scan for all vulnerabilities on any device, block communication from an infected device to the internet, isolate endpoints, and kill malicious processes before they spread.
It can automatically prioritize and deploy OS and third-party patches to all major operating systems, as well as Windows 10 feature updates. IT and security teams can use Syxsense Enterprise to collaborate on the detection and closing of attack vectors. It offers management, control, and security for any and all desktops, laptops, servers, virtual machines, and mobile devices.