In today’s SensCy Cyber Brief, your SensCy team is investigating Business Email Compromise (BEC) fraud and methods used by threat actors that could leave your organization vulnerable.
What is Business Email Compromise?
Although it does not get the media attention it deserves, Business Email Compromise, also referred to as Email Account Compromise (EAC) is arguably the most financially damaging online crime for your organization. According to the Federal Bureau of Investigation, between June 2016 and December 2021, BEC fraud cost businesses around the world $43 billion in losses, $2.4 billion in 2021 alone. Based on the research conducted by the SensCy team, it is likely that the number of BEC will increase in the near future. This is due to the surge of remote workers and the subsequent volume of emails, both business and personal.
How criminals carry out BEC and EAC scams/ attacks?
The criminal group carrying a BEC scam will likely send an email message that appears to be coming from a trusted and known source, so the request appears to be legitimate. For example, a vendor your company regularly works with sends an invoice with a new mailing address or the CEO or an employee in a leadership position asks her assistant to purchase gift cards to reward its employees.
In the majority of cases, the criminals will spoof an email account or website with slight variation in the address to fool victims into thinking the fake accounts are real. They will also use social engineering and spear phishing to gather information about your company (calendar, personal data, any credentials.) And in some cases, the criminal can use malware to infiltrate your company’s network. With all of this information, the criminal can then perform the BEC and receive a wire transfer to the bank account controlled by the criminal group.
How do you report a scam?
If you or your company fall victim to a BEC scan, contact your financial institution immediately and request that they contact the financial Institution where the wire transfer was sent. Then, contact your local FBI field office to report the crime.
How do you protect yourself and your company?
The SensCy team recommends continued, in depth, phishing training for all employees to raise awareness as we believe BEC fraud will become more common. Don’t click on anything in an unsolicited email. Carefully examine the email address, URL, and look for potential spelling errors. Don’t download any attachments from unsolicited emails. Enable multi-factor authentication. Please contact your SensCy client advocate for any additional questions regarding this issue.