BEC (Business Email Compromise) is an advanced scam and one of the main threats to companies and corporate emails. It's a type of spear phishing attack.
Here's how the fraud works: someone impersonates a company’s employee, director, executive or even the CEO to make money or steal sensitive information. The criminal tries to lure and induce employees, partners and customers to take some specific action, such as wire transfer payment.
BEC is also known as CEO Fraud and Man-in-the-Email scam. In some cases, the attacker compromises a corporate email account while, in others, simply creates a similar email address. Then, he spoofs and impersonates the email owner’s identity.
FBI definition for BEC
The FBI has a less broader and more direct definition for Business Email Compromise:
“A sophisticated scam targeting businesses working with foreign suppliers and companies that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds”.
BEC, malware and social engineering
Yes, in general, BEC scams involve malware and social engineering.
Social engineering is used because, before putting the fraud into practice, criminals make an in-depth study of their victims. They search websites and social media to understand the profile of the executive, the company, and who else may be targeted in the fraud, such as employees and partners. The goal is to build the most convincing scam possible.
Malware is also used because, in many cases, BEC emails induce victims to click on malicious links and attachments. Often, the click ends up with a malware downloaded, which will enable the hacker to access the victim's device, gain control over it, and access privileged information.
Who is a BEC target?
Many people assume that BEC, as an advanced scam, is aimed almost exclusively at enterprises. It’s wrong. As FBI points out, "BEC scam ranges from small businesses to large corporations". In addition, all sectors and businesses types are possible targets.
What we can assure is: the most common victims of BEC are companies that use wire transfers. Besides email, fraudsters may also try to apply similar scams through phone calls or text messages.
Based on FBI data, there are 5 main BEC scenarios.
1. CEO Fraud. It´s when the criminal impersonates high-level business directors or executives, such as CEO (Chief Executive Officer) or CFO (Chief Financial Officer). This type of fraud is also known as Masquerading, Business Executive Scam, and Financial Industry Wire Frauds.
2. Employee Account Compromised. It happens when a company employee has his email account hacked and the fraudster uses it to commit financial crimes.
3. Bogus Invoice Scheme. It’s when fraudsters impersonate suppliers and request payments for a new and fraudulent account. This scam is also known as Supplier Swindle, and Invoice Modification Scheme.
4. Attorney Impersonation. As the name says, it happens when someone impersonates an attorney to pressure and request payment.
5. Data Theft. It’s when the criminal's main interest is for sensitive information, which can then be sold or used improperly.
How to prevent BEC
Because it’s a sophisticated scam, BEC isn’t easily identified by spam filters. That’s why you have to go beyond simple protection. Our three most important protection tips are:
1. Training. Teach your team to recognize and deal with phishing attacks. Promote refresher training frequently.
2. Authentication. Require multi-factor authentication for important processes, such as wire transfer payments.
3. Software. Have up-to-date and modern protection softwares, such as a Secure Email Gateway, with anti-spam, bayesian filtering (machine learning), anti-virus, anti-malware, and anti-DDoS.