Understanding Business Email Compromise
What is Business Email Compromise?
Business email compromise (BEC) is an email-based social engineering attack designed to deceive victims for fraudulent gain. According to the FBI, BEC is one of the fastest growing and most financially damaging internet crimes. The primary targets of BEC attacks are typically employees responsible for handling sensitive information, initiating financial transactions, and making decisions.
Fraudsters frequently target executives and personnel in the finance, human resources, and procurement departments. These employees typically have access to valuable data and authority to initiate payments. Remember, fraudsters intentionally appeal to people’s natural desire to be helpful and will compound that vulnerability with demands for immediate assistance.
Website Spoofing
The fraudster impersonates a company by creating a very similar looking website that appears legitimate and uses an incredibly similar domain name in hopes of tricking the victim into entering sensitive information in the fraudulent website. Upon closer review, the URL will have spelling errors or formatting oddities.
- E.G. The website has altered spelling such as a “w” is replaced with 2 “v”s, the lowercase “L” is replaced with a capital “I”, or “0” and “O” are swapped.
- E.G. – www.google.com VS www.googel.com
- E.G. – www.amazon.com VS www.amaz0n.com
Email Spoofing
The fraudster impersonates a business or person’s email address to lure the victim into providing sensitive information in response, acting as if the email had come from the legitimate source, or opening attachments which may come with malware and keyloggers. The email may look legitimate, and the email address may appear reasonable until a closer inspection reveals spelling and/or grammatical errors.
- E.G. – cs-reply@amazon.com VS customersupp0rt@amaz0n.com
- E.G. – fraud@ups.com VS fraud_services@usp.com
Compromised Accounts
More insidious than website or email spoofing, a fraudster will breach and take over a legitimate email address unbeknownst to the first victim. Typically, the fraudster will intercept legitimate billing emails sent out by his first victim, modify the invoice’s payment instructions, and then let the email proceed to a second victim with no one the wiser. The email recipient will receive an expected invoice, note the payment instruction change, and send the funds to the fraudster’s bank account thinking they are now current with their vendor.
Securing Business Accounts
It is strongly encouraged to train your staff about phishing scams to prevent unintended access to your email system which is commonly targeted to gain access to business funds. Additionally, it is recommended to use unique usernames and passwords to prevent credential stuffing, which is when credentials are obtained in a data breach and used to attempt to access other online accounts.
Lastly, it is recommended to ensure your financial accounts have multifactor authentication and alert notifications turned on so if a fraudster were to gain access to your system and edit banking information, notifications will be sent to those authorized on the account.
Guiding Principles for Fraud Prevention
Review the tips below to prevent becoming a victim of a Social Engineering attack.
