Business email compromise (BEC) is one of the most damaging cybercrimes faced by businesses today.
According to the Canadian Anti-Fraud Centre (CAFC), BEC has cost businesses over $5 billion worldwide, including Canadian businesses.
What is a BEC scam?
BEC, also sometimes referred to as “man-in-the-email” attack, is a type of scam specifically targeting companies and their employees – especially those who have access to company finances. By leveraging existing business relationships between the recipient of the email and the sender, the criminal, pretending to be the trusted sender, will convince the recipient to send money or share financial information.
Although BEC scammers use a combination of methods to trick their victims, they often gain access to business networks through a spear-fishing attack that involves a form of malware. Spear-fishing is an email scam intended to steal data or install malware on a target’s computer. These attacks are often difficult to detect and can slip through traditional security measures. The best way to fight any form of email fraud is for employees to be aware of these threats and the may forms they may take.
To start, it’s important to recognize the most common types of Business Email Compromise scams. Keep reading to learn about 5 common BEC scams, the signs you should look out for, and how tips on how employees can protect themselves.
96% of organization have been targeted by an email-related phishing attempt.
5 Common BEC Scams:
1. The CEO Scam
An attacker poses as a company executive and sends a fraudulent email to an employee (likely one working in finance), requesting them to transfer money to the account they control. These spoofed emails contain slight variations from the original – legitimate – email address, making them hard to spot if the victim isn’t careful. For example, the email address [email protected] may look more like [email protected]. These emails are often written with a sense of urgency.
2. The Bogus Invoice Scheme
This scam targets companies who have trusted suppliers, especially foreign. In this scheme, the attacker pretends to be the supplier sending an invoice and requesting a fund transfer to an alternative and fraudulent account.
3. Information Theft
In this scheme, criminals target employees to obtain personally identifiable information (PII) or other confidential information such as tax statements of employees and executives. This data is then used to commit fraud.
4. Account Compromise
The criminal hacks a company executive or employee’s email account to request invoice payments to vendors that are listed in their email contacts. Payments will then be sent to fraudulent bank accounts.
5. Attorney Impersonation
The attacker pretends to be a lawyer – or representative of a law firm – who has access to sensitive and confidential matters. These scams are typically conducted through email or phone and prompt the victim to urgently make a payment.
BEC Examples:
Know The Signs of a BEC Scam:
Although the tactics used by cybercriminals to carry out BEC scams are increasingly sophisticated, there are common warning signs everyone should watch out for. When employees exercise caution and review all emails carefully, the risk of falling victim to an email scam becomes significantly reduced. Here are some signs to look out for:
- Spoofed email addresses
Examine the addresses on any emails requesting financial transactions or sensitive information since they may be slightly altered ([email protected] vs [email protected]). Always hover over the sender’s name to get a look at the detailed email address. - Requests for financial transactions or sensitive information
These requests usually come with pressure to act quickly, to veer from standard procedure, or involve direct contact with a company executive you are not normally in contact with. These emails may come with directions to click on a link or update financial account details. Always contact the sender directly to confirm these requests. - Unexpected and/or urgent requests
Unexpected emails that request payment outside of the normal schedule or procedure or contain a sense of urgency to act quickly should always be examined closely.
How To Protect Your Business Against Email Fraud:
When it comes to cybersecurity, our advice is always the same: stay vigilant and provide employees with proper training.
Educate
Focus on prevention by training employees on cybersecurity practices and current scams. Make educational resources available at all times.
Verify
Always try to verify payment requests in person or by phone to make sure the request is legitimate. You should verify any changes in account numbers or payment procedures before taking action.
Authenticate
Consider enhancing your authentication process to a two-step or multi-step process for wire transfers or access to sensitive information.
Examine
Carefully examine all emails by looking at the email address, URL or spelling. Scammers use slight differences that may be difficult to catch if you are not careful. Be wary of urgent requests and unsolicited links.
Update
Make sure your business is protected by ensuring all software and firewalls are up to date.
Protect
Protect your business’ future by partnering with a Managed Service Provider (MSP). A MSP partner will ensure that your infrastructure, software and procedures are always up-to-date and secure. A Managed Service Provider will also work 24/7 to monitor and detect threats and eliminate them before they can paralyze your business.
Learn more about the benefits of working with a Managed Service Provider.
For additional resources on Business Email Compromise, visit:
FBI How We Can Help You – Business Email Compromise
RCMP – Business Email Compromise (BEC)