Business email compromise (BEC) is a dangerous type of email spoofing that targets businesses, aiming to damage them in some way. Overall, BEC “is one of the most financially damaging online crimes,” according to a joint Cybersecurity Advisory by the Federal Bureau of Investigation (FBI), the Food and Drug Administration Office of Criminal Investigations (FDA OCI), and the US Department of Agriculture (USDA). Another report shows that 29% of Chief Information Security Officers (CISOs) involved cite BEC and phishing as posing the greatest danger to their enterprises.
Although BEC is predominantly used to steal money, this type of attack can come in many forms, with a variety of goals. Some criminals use spoofed emails and domains to impersonate employees, order products, or demand sensitive information. They can resell goods at a markup, and with much lower health and safety standards, which reflects badly on their target company, and can damage its reputation.
BEC Tactics, Techniques, and Procedures
Cybercriminals have many methods of carrying out attacks, some of which may be hard to recognize to the untrained eye. As the general idea of BEC is to impersonate a legitimate company, most of the tactics include tricks to make it more difficult to detect odd behavior. Attack prevention, therefore, can rest on being able to see through the veil that cybercriminals carefully construct to carry out their attacks.
Criminals attempting a BEC attack often create email accounts or websites that imitate a legitimate company as closely as possible. They cannot always employ domains or email addresses that already exist, of course, so they resort to subtle changes, such as extra or missing letters or words, substitute characters, or a separate top-level domain. It is important to be wary of these tactics, as they are by nature easy to miss unless one is specifically looking for irregularities.
It is also possible, however, for cybercriminals to gain access to the email system of a legitimate company, and to use that access to send unauthorized messages. This is sometimes the case with CEO fraud, where a cybercriminal impersonates a company executive in order to extort what they desire from lower-level employees. If an email appears to be from a higher-ranking member of the company, employees are more likely to trust links and attachments, or to send sensitive information, or even money to the attackers.
In the food and agriculture sector, these attacks are no less prevalent, and certainly no less harmful, than anywhere else. Recently, cybercriminals have increasingly used BEC as a means of stealing physical goods, as opposed to simply extorting money. The government report cites several attacks or attempted attacks on businesses in the food and agriculture sector that sought to fraudulently obtain shipments of supplies using a company name, leaving the suppliers unpaid and the “buyers” owing money for a shipment they did not order. Some of these attacks were caught before the damage could be done, while others resulted in losses in the hundreds of thousands of dollars.
How to Protect Against BEC Schemes
Protecting against BEC and its dire consequences is not a simple task. There is no easy solution, but there are several steps that the government report suggests help to prevent these attacks. Firstly, it is crucial to train employees so that they are aware of how to identify falsified emails, email addresses, and web domains. This training must be both ongoing, and updated to adapt as technologies and threats change.
Another useful action is to deploy security awareness training, and exercises to allow employees to understand the risks of BEC and other phishing techniques. Educating your staff about the dangers of clicking unknown links or downloading unverified attachments is a significant step that may save businesses from serious attacks. As is often said, a company’s data and assets are only as secure as its weakest link, and all employees have the potential to be the strongest link to prevent a cyberattack.
Additionally, searching the business on the internet is a good way to find and identify fraudulent uses of the company name. This action can uncover false websites, social media accounts, or publications that claim to be from the company. Discovering these fraudulent artifacts before they are used to deal massive damage is important to the well-being of the company.
Encourage employees to ask for clarification or authentication about things like changes to invoices, banking information, or contact information. This helps to decrease the chances of an employee simply complying with a fraudulent request. There are also many other ways to decrease the success of a BEC scam, including the implementation of two-factor authentication, ensuring the correct settings are used on employee devices, and keeping an eye on financial accounts for any irregularities.
Because BEC consists of imitating an existing legitimate corporation or its employees, a large portion of protecting against it comes down to maintaining a healthy sense of skepticism. Last-minute changes, unexplained urgency, and suspicious requests should always be investigated and verified. Employees should be trained in spotting the signs of a fraudulent email, and encouraged to authenticate any and all suspicious communications. BEC can have a massive impact on a company’s assets, financial situation, and reputation, and should be a priority for all.