Light Dark
June 20, 2018 By Joan Goodchild 3 min read
Fraud Protection
Data Protection

Business email compromise (BEC) is a type of phishing scheme in which an attacker impersonates a high-level executive and attempts to trick an employee or customer into transferring money or sensitive data. This crime is particularly stealthy because it employs social engineering techniques to manipulate users.

BEC is on the rise — and it’s often difficult to prevent because it’s so targeted. So, what do you need to watch out for?

A Sneaky Social Engineering Scam

According to the FBI’s 2017 Internet Crime Report, BEC and email account compromise (EAC) represented the highest reported losses — costing 15,690 victims more than $676 million. BEC often subverts detection because the transaction appears legitimate from the company’s perspective. Confirmation calls and other authentication mechanisms also do typically reach the employee who submitted the legitimate request, making BEC even trickier to identify.

Read the white paper: Adapt to new phishing threats and assess websites automatically

The victims of BEC scams range from small businesses to large corporations, according to a public service announcement (PSA) from the FBI. Victims also come from a variety of industries, with no one sector appearing to be a favored target. BEC is a profitable crime due to the nature of the targeted attacks.

“The subjects monitor and study their selected victims using social engineering techniques prior to initiating the BEC scams,” wrote the FBI in the PSA.

Tripwire reported that criminals do a lot of homework — and seek a variety of information — when targeting a victim, including:

  • General information about the company (i.e., where it does business and with whom)
  • Names and titles of company officers
  • Management organizational structure
  • Information about new rounds of funding
  • Information about new products, services and patents
  • Product or geographic expansion plans
  • Travel plans

Common Characteristics of BEC Attacks

According to the Internet Crime Complaint Center (IC3), BEC complaints share some common characteristics. Businesses that use open source email services are frequently targeted, for example, as are employees who handle wire transfers.

The scenario often plays out like this: An email arrives that appears to be from a high-level executive within the company — or even a business partner or company attorney. Since the email address has been spoofed, it appears to be legitimate. A request for a wire transfer is included in the email, which urges the recipient to take immediate action.

The fraudulent email might claim, for example, that a supplier requires prompt payment for a service rendered. IC3 reported multiple instances of fraudsters impersonating lawyers and reaching out to potential victims to handle supposedly confidential or time-sensitive matters.

Keep in mind: Requests for money might ultimately come via a phone call. While BEC is initiated over email, criminals can use various modes of communication to complete the fraud.

Related: IBM X-Force IRIS Uncovers Active Business Email Compromise Campaign Targeting Fortune 500 Companies

Awareness Is the Key to Battling BEC

To keep these threats at bay, security leaders should implement a comprehensive awareness program for employees that spells out the details of BEC and how to recognize potentially malicious emails. The program should train users to identify suspicious requests and cross-reference the sender’s email with the corresponding executive’s known address. Most importantly, employees should not reply to risky emails under any circumstances.

Another best practice is to set up an email gateway to flag keywords like “payment,” “urgent,” “sensitive” and “secret” — all of which are common in fraudulent emails. Companies should also register as many domains as possible that are slightly different from the legitimate company domain to minimize the risk of email spoofing. Company leaders should avoid using free, web-based email services. Instead, they should establish a company domain name and use it to create official company email accounts.

Also, security leaders should coach employees to be mindful of what they post on social media. Cybercriminals can appropriate seemingly benign information, such as birth dates, favorite foods and places of residence, to personalize their social engineering schemes.

Finally, human resources (HR) teams should be aware that any job information posted on a company website can be used to facilitate targeting phishing scams, especially job descriptions, organizational charts and out-of-office details.

Listen to the podcast: Social Engineering 101 — How to Hack a Human

 |  |  |  |  | 
Joan Goodchild
Contributor

More from Fraud Protection
July 25, 2024

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

March 13, 2024

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

March 7, 2024

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature