These days, most people are aware that cybercrime is a very real and ever-increasing threat. Due to the Covid-19 pandemic, many workers were forced to work remotely for the first time, from their bedrooms, living rooms and kitchen. Terms like ‘phishing’ and ‘ransomware’ are now frequently seen and heard, but there is another type of threat that has seen a huge increase in frequency in 2020 – Business Email Compromise.
So what exactly is Business Email Compromise?
Business Email Compromise (BEC) scams, also known as ‘CEO Fraud’, is a type of scam where attackers impersonate a high-level member of an organisation and try to convince another employee to carry out an action, frequently some form of financial transaction.
Often, they find the names and email addresses of CEOs or CFOs online, and use other publicly-available information to make their emails seem legitimate. They can even spoof the executive’s email address exactly, and the emails don’t usually contain links to dodgy websites, making the attacks difficult to spot.
Here’s what a typical BEC scam email might look like:
“Hi,
Can you assist with an urgent task?
I need you to purchase some Google Play gift cards for an important potential client. Can you go to the nearest shop and purchase three €250 cards and send me photos of the numbers you find on the back?
I’m in a meeting for the next two hours, so please don’t disturb me until afterwards, just send over the cards as soon as possible.
Thanks, CEO”
The scammers will often make up some reason why they can’t be contacted in the normal manner, so you can’t double-check with the actual executive, and make up some out-of-the-ordinary reason why they need you to take action immediately. The purchase of gift cards, such as the example above, is quite a common ask by scammers.
Another more traditional BEC scam involves sending accounting/payroll staff an email pretending to be from another vendor or company that they do business with, and requesting that they update the bank account details on file for them. Then, when they make their next transaction, the funds go into the scammer’s account, and not to the intended recipient.
Business Email Compromise scams are not just limited to rerouting finances, sometimes they can request copies of employee data (such as lists of staff and their tax returns) which can be sold on the dark web, or exploited in identity fraud.
More than €1,500,000,000 stolen from businesses in 2020 alone
With more business being conducted over email, and less face-to-face contact with our co-workers, Business Email Compromise scams have sky-rocketed in recent years. The FBI discovered a 136% increase in successful BEC attacks reported to them between 2013 and 2018, and that was before the pandemic forced many organisations into the great remote-working experiment. An estimated $1.8 billion (just over €1.5 billion) was stolen from businesses in 2020 alone from Business Email Compromise scams.
What’s more, analysts predict that these attacks will only grow more and more common. While high-profile ransomware attacks that affect huge corporations and critical infrastructure make the news, BEC scams on small businesses frequently do not. Since so many of these attacks are flying under the radar, cyber criminals see them as less risky, and more profitable for them.
How do I protect myself (or my employees) from Business Email Compromise?
There are two main ways to combat BEC – user education and stringent processes around transfers of money and data.
In terms of processes, having a policy in place whereby accounting/financial staff must verbally confirm (either over the phone, or face to face) whenever a payment is made to a new supplier, or bank details are changed for an existing supplier, can help to stop BEC scams from working. That way, if someone gets a strange request from the CEO to purchase gift cards that tells them to act without the proper authorisation procedure, then it’s a dead giveaway that the request is probably fraudulent.
The other main way to combat Business Email Compromise is by providing security awareness training for staff (pro-tip: training is also an effective way to combat phishing & ransomware). BEC scams rely heavily on social engineering, rather than complex technological exploits, so it’s crucial that staff know how to identify the warning signs, and verify the identity of the sender before actioning any potentially malicious requests.
With alert staff who stop, look and think before sending their organisation’s hard earned cash to cyber criminals, and robust policies in place to protect everyone from malicious actors, you will be well on your way to combating Business Email Compromise, and depriving cyber criminals of funding.
Tech Guard can help increase user awareness and combat phishing!
For more information on cyber security awareness training, contact Tech Guard today for a demo of our training and phishing service. We use a Gartner-leading training platform and a proven, data-driven approach to educate users and reduce risk.
Or, if you want to see just how at-risk your organisation is, speak to us regarding performing a blind phishing test on your users. Phishing tests are a practical and proactive way to teach users how to identify the tell tale signs of malicious emails, before they click on something that will cripple your network.