BEC/EAC (Business Email Compromise and Email Account Compromise) is a type of advanced scam that uses social engineering and device intrusion techniques to steal money and confidential information. According to a recent FBI news, over the past 3 years, BEC/EAC attacks have resulted in losses of USD 26 billion. "The BEC/EAC scam continues to grow and evolve, targeting small, medium, and large business and personal transactions," says the agency.
Between June 2016 and July 2019, more than 166,000 BEC/EAC incidents were reported. This news only reinforces the fact that BEC/EAC has been consolidating itself as one of the most damaging types of cyber attacks on businesses, causing huge financial losses.
Let us explain the scam a little better. In a common BEC attack, the cybercriminal impersonates someone from the company itself or a business partner to mislead a person that works in the finance or human resources department. The goal is to convince this person to make a wire transfer or change an employee's deposit account.
BEC: destinations of the fraudulent money
According to the FBI, the money diverted by BEC/EAC fraud has been sent to at least 140 countries.
“Based on the financial data, banks located in China and Hong Kong remain the primary destinations of fraudulent funds. However, the Federal Bureau of Investigation has seen an increase of fraudulent transfers sent to the United Kingdom, Mexico, and Turkey”.
This type of fraud has been widely used by cybercriminals for two reasons. First, it's very lucrative. Second, BEC/EAC isn't easily identified by traditional threat detection tools, as they generally, among other things, don't use malware or malicious links. BEC/EAC attacks rely only on human vulnerability, or what we call human failure.
The relationship between BEC and payroll diversion
In the announcement, the FBI made an important addendum to the number of BEC complaints involving payroll diversion.
Payroll diversion scams happen when the criminal gets an employee's credentials and then directly changes the deposit account information. But in cases involving BEC, someone from the company's finance or human resources department receives an email requesting a deposit account change. The detail is that it's a malicious email that has been spoofed or compromised.
In this scheme involving BEC and payroll diversion, the FBI received a total of 1,053 complaints. The total losses amount to more than USD 8.3 million.
Protection against BEC and sophisticated attacks
We've taken the FBI's list with tips against advanced and sophisticated attacks and added a few things to make you, your business, and your employees safer and more secure.
1. Train your team to know about scams and threats.
2. Use two-factor authentication when important information needs to be changed.
3. Check links and email addresses to make sure they are legitimate.
4. Avoid providing confidential information by email.
5. Keep systems and software up to date.
6. Have a backup plan.
7. Have an incident response plan.
8. Adopt an email protection solution that can detect advanced scams.
FBI Internet Crime Report
In April, we wrote a post about the 2018 Internet Crime Report. The document is produced by the FBI itself and features cybercrime data and statistics. Of course, we can already expect an increase in BEC cases in the 2019 report, which will be released only next year. In any case, the 2018 report is still an important point of reference. To read more about it, click here: BEC remains the most damaging threat, says FBI.