Business Email Compromise (BEC), also known as “Man-In-The-Email” or “CEO Fraud”, is a sophisticated type of phishing attack, carried out through elaborate means and usually with devastating effect. The US’s Federal Bureau of Investigation (FBI) estimated that global business email compromise losses hit a staggering $12.5 billion between October 2013 and May 2018 while the total number of victims reached 78,617.
BEC attacks can be extremely sophisticated and can occur after months of research and targeting. Basically, attackers impersonate a key organization executive (often someone who is a senior figure at the organization like a CEO) to send emails to employees within the organization. These emails exactly replicate the chosen target’s style and ask for important financial details or wire payments
A scary scenario
For example, consider the following ceremony. Peter works in a global multinational corporation in the finance department of which the CEO is someone called John. One day, Peter receives an urgent email from John, looking exactly like it comes from John’s official email id. In the email, John says he requires the company’s banking details for an important reason. Thinking that it is the CEO who is asking him for this detail and not wanting to upset him, Peter provides the financial details through the mail.
However, disaster strikes. An unauthorized transaction of a huge amount is made by the company. The blame falls on Peter for sharing the financial details. When he tries to reason that he had only shared the details with the company CEO, he is in for a shock. It turns out a malicious criminal had impersonated the CEO John’s email account and sent an email on his behalf. The CEO had never sent the mail. The company finds itself in deep crisis thanks to a malicious criminal managing to hoodwink an employee.
The above is a textbook example of a Business Email Compromise (BEC). As one can understand, it is extremely important for everyone in the organization, but especially those who handle sensitive information, to exercise constant vigilance when receiving emails asking for sensitive data.
Here are five forms of BEC:
- CEO Fraud – Similar to the example above, where a CEO’s email id is hacked and emails sent to employees, asking for financial details/transactions.
- Bogus Invoice – In this type of BEC, a target is carefully chosen, who mostly deals with an organization’s financial dealings. Once the target is hacked, the attacker picks up a pending invoice and redirects the payment to their own account.
- Attorney Impersonation – This type of BEC scam mainly targets legal departments of organizations. It threatens the organization of legal disputes and asks for large amounts of money to settle these imaginary disputes.
- Data Theft –Different from the ones above, this one may not involve any monetary dealings but is dangerous in its own right. Basically, the attacker, in the impersonation of the CEO or another senior leader, asks for important details, instead of money to employees.
- Account Compromise – In this form of BEC scam, the fraudsters hack into the emails of an organization employee and then email customers about a change in payment details. Obviously, the new payment details are of the fraudster and customers who fall into the trap, start sending their regular payments to the fraudster’s account.
Cybersecurity experts like Seqrite have developed innovative features in their products to help fight scams like BEC. Seqrite’s Endpoint Security is loaded with features that up the organization’s defense against malware and phishing attacks like BEC. It offers superior phishing protection against attacks that originate from malicious codes over the internet by stopping them from entering the network and spreading across. Other features included in their email security tool help identify the nature of emails coming from various email gateways as well as provide robust protection against suspicious messages. BEC data thefts can be avoided by integrating Seqrite’s Data Loss Prevention solution with the email marketing plans. Policy-based encryption allows information to be encrypted and accessible only to authorized personnel. BEC is a serious threat but with Seqrite as your security partner, it can be tackled with ease.
As an IT security partner for your business, Seqrite provides comprehensive security from advanced cyber threats. To know more