We'll cover what BEC scams (Business Email Compromise scams) are, how they work, what you should look for, and what to do about them, including:
- What the Heck is a BEC Scam?
- 3 Reasons BEC Attacks Are Getting Worse
- Examples of BEC Fraud
- Key Identity Deception Tactics You Need to Know
- How Can BEC Scams Be Blocked?
What the Heck is a BEC Scam?
Here’s how BEC scams work: Business Email Compromise (BEC) scams occur when fraudsters use spoofed or hijacked email accounts to impersonate trusted contacts—like vendors or senior executives—asking employees to wire payments or make purchases under false pretense.
According to the FBI, BEC scams have led to more than $26 billion in business losses worldwide from 2016 through 2019—or more than $700 million per month. Then along came 2020. So far this year BEC attacks have been proliferating at an ever-increasing rate. As of May 31, the bureau's Internet Crime Complaint Center (IC3) reported the total volume of advanced email attacks had already exceeded all of 2019.
3 Reasons BEC Attacks Are Getting Worse
There are three primary drivers behind these underlying trends.
- Successful BEC scams are growing less dependent on technical know-how than on savvy social engineering tricks. The malicious links or malware used in previous attacks are easily detected and blocked by most email security controls.
- The ROI achieved in these attacks has earned the attention of some of the world's top cybercriminals. Agari researchers were the first to document the fact that the West African email fraudsters who pioneered BEC methodologies now face competition from sophisticated Eastern European crime syndicates and operatives in more than 50 countries, including the US.
- The coronavirus pandemic, social unrest, and political uncertainty have provided a surfeit of emotional levers for swindlers to exploit. In addition to grappling with remote working, housebound children, financial stress, and any number of other distractions, corporate employees are getting bombarded by BEC scams and other advanced email threats.
Examples of BEC Fraud
Once known primarily as "CEO Fraud," BEC can now more accurately be described as a broad category of email-based attacks designed to pilfer money from corporations. Popular scams include:
- Vendor Email Compromise: Fraudsters use stolen credentials to infiltrate corporate email accounts, spy on email conversations, and then impersonate the organization's employees in emails requesting that payment for invoices be sent to bank accounts the imposters secretly control.
- Payroll Diversion: Attackers target HR or accounting personnel by posing as employees in emails requesting last-minute changes to direct deposit details in time for the next pay period.
- Gift Card Scams: Fraudsters impersonate senior managers asking admins and other employees to purchase gift cards for upcoming staff appreciation efforts. In these cons, perpetrators request the gift card number and the PIN on the back of the cards, which can then be sold in online cryptocurrency exchanges.
- Aging Financial Accounts Scams: Here, cybercriminals assume the identity of a senior executive seeking aging accounts receivable reports from one company, and then use that information gleaned from those reports to target the company's customers with requests that payment on legitimate, past-due invoices.
- Transaction Diversion: Shysters infiltrate email accounts at VC firms, law offices, real estate offices, or other organizations involved in large transactions to surveil email conversations. At the most opportune moment, they send an email instructing the purchasing entity to wire funds to the thieves' own accounts.
Key Identity Deception Tactics You Need to Know
Regardless of the form of attack, BEC scams use identity deception to convince recipients to take action under the mistaken belief they are responding to a legitimate request from a trusted individual or organization.
Lookalike domains, spoofing, display-name deception and messages sent from hijacked email accounts are just a few of the mechanisms cybercriminals use to send malicious emails that are virtually indistinguishable from legitimate email messages from known senders.
At the same time, BEC phishing messages sent from G-Suite, Office 365 and other cloud-connected email and services fly past traditional security controls due to the reputation and pervasiveness of these popular platforms.
Then there are the emails themselves. Instead of the spray-and-pray spam emails of old, the email messages these fraud rings send are flawlessly researched and exquisitely personalized using context-relevant information. This can be simple as a late-afternoon query from a senior executive who's "stuck in a Zoom call" and needs an employee in accounting to wire an overdue payment to a new vendor.
These kinds of subtle mind games are effective at throwing recipients off kilter—especially with so many eager to demonstrate responsiveness to a key executive while working from home. Far too many will follow through on such requests before thinking to confirm the legitimacy of the message. In recent simulations, phishing awareness training firm KnowBe4 found that one-third employees will obey a fraudulent email request, no questions asked.
How Can BEC Scams Be Blocked?
Here are a few things you can do to stop BEC scams from attacking your company:
- Train your employees to identify BEC scams
- Tighten your payment processes
- Deploy identity-based phishing defenses
- Use continuous detection and response technologies
Unfortunately, doing only one of these independently of the others probably won’t be enough to protect you. Here’s why.
Lookalike domains and spoofed email addresses are hard enough to spot. Factor in malicious emails sent from pirated email accounts belonging to trusted suppliers, and the challenges grow exponentially.
Oh, and email account compromise (EAC) attacks launched from accounts belonging to a company's own senior executives? That's its own special nightmare. Most traditional email controls don't even scan internal email.
But while phishing awareness and business email compromise training is always a good idea, relying exclusively on a human firewall to spot signs of BEC and report suspect emails to the security operations center (SOC) isn't realistic.
The sheer volume and inventiveness of BEC scams account for as much as 40% of all cybercrime business losses each year. And our own research has found that 60% of employee-reported email scams are false positives, serving to bury SOC team analysts with more email attacks than they can possibly handle.
Instead, layered security and accounting controls are required given the enormity of the threat.
In addition to tightened payments processes, organizations will need to deploy modern, identity-based phishing defenses with tools and solutions for blocking even the most sophisticated, socially engineered BEC attacks—including those launched from internal email accounts. And continuous detection and response technologies are required to sniff out and automatically remove malicious emails that do manage to avoid early detection.
The cost of doing nothing to stop BEC scams is rising—sometimes in unexpected ways. As National Law Review reports, case law and regulatory bodies are increasingly bringing enforcement actions against organizations that fall victim to such attacks for being negligent and reckless in failing to adequately address BEC scams and other advanced email threats that can be successfully avoided.