Business Email Compromise (BEC) scams are a rising tide in the cybercrime world, swamping businesses with staggering losses. From a hefty $1.2 billion in 2018, these scams ballooned to an alarming $2.7 billion in just four years, and there’s no sign of them slowing down.
But it’s not just the big players who are in the crosshairs. Small and medium-sized businesses (SMBs) are increasingly targeted, often caught off-guard due to a lack of awareness about this looming threat.
What Are BEC Scams?
Business Email Compromise (BEC) scams are a sneaky, high-stakes game of digital deception, with scammers using email as their main weapon. The goal of these scammers is to compromise business or personal email accounts through social engineering or computer intrusion techniques.
They then use these compromised email accounts to conduct unauthorized transfers of funds or to request sensitive personal or financial information. In some cases, the scammers impersonate high-ranking company officials, legal advisors, or vendors, creating a sense of urgency or authority to prompt hasty actions by the victims.
Several distinct types of BEC scams have been observed in the wild:
- Fake invoice schemes: This is where scammers pretend to be your suppliers. They send you fake invoices that look real, hoping you’ll just pay them without double-checking.
- CEO fraud: Here, the scammer poses as the big boss—maybe your CEO or another top executive. They send an email that seems to come from them, usually asking for an urgent money transfer.
- Attorney impersonation: In these scams, the fraudsters pretend to be lawyers or legal advisors, usually emailing you about something confidential or urgent that needs quick financial action.
- Data theft: By targeting HR or finance folks, data theft scams aim to get personal or financial info about employees or the company. Remember: it’s not always about money.
- Commodity theft: Last but not least, this type of BEC scam is a bit different because it focuses on physical goods. Basically, scammers order products or services using a compromised email account, often posing as a legitimate employee or business associate, but never paying for them.
Together, these various types of BEC scams have hit every state in the US and 177 countries across the world. Most of the cash ends up in Hong Kong and China, but it also passes through the UK, Mexico, and Singapore. The real estate sector is targeted particularly often according to the FBI, but no sector is safe.
Download
DoD Contractor’s Guide to CMMC 2.0 Compliance
Business Email Compromise (BEC) vs. Email Account Compromise (EAC)
While closely related to BEC, Email Account Compromise (EAC) specifically involves attackers gaining direct control over an individual’s email account. In EAC scenarios, this compromised account is then used to conduct BEC-like scams or other cyber attacks, leveraging the access to the account to trick others within or associated with the organization.
How Do BEC Scams Work?
Despite the variety in BEC scams, they can all be broken down into the same main steps:
- Target identification: The scam begins with the identification of potential targets. Scammers often focus on individuals within a company who have the authority to make financial transactions or access sensitive information. These targets are usually identified through public sources such as company websites, social media platforms, or professional networks like LinkedIn.
- Gathering intelligence: Once targets are identified, scammers spend time gathering information about them and their organization. This can involve studying the company’s organizational structure, the specific roles and responsibilities of employees, and even the style and tone of communication typically used within the company.
- Creating a convincing persona: Using the gathered information, the scammer then creates a convincing persona. This could be a fake identity resembling a trusted vendor, a high-ranking executive within the company (like a CEO), or a known business partner. The aim is to make the identity as believable as possible to not arouse suspicion.
- Establishing contact: The scammer initiates contact using the crafted persona. This is usually done via email, using a similar email address to the one being impersonated.
- The fraudulent request: Once trust is established, the scammer makes a fraudulent request. As explained in the previous section of this article, this could be a request for a wire transfer, changing payment details for a transaction, or requesting sensitive information. The request often comes with a sense of urgency or confidentiality to pressure the target into acting quickly without verifying the information.
- Execution and extraction: If the target complies with the request, the scammer quickly moves to extract the funds or data. This phase is time-sensitive, as the scammer will want to complete the transaction before the fraud is detected.
BEC scams rely heavily on social engineering and impersonation, making them particularly challenging to detect and protect against. They exploit the routine nature of email communication in business settings, turning an organization’s own processes and habits against it. However, this doesn’t mean that businesses are defenseless.
Strategies to Protect Your Small Business from BEC Scams
To effectively combat BEC scams, your defense strategy should be as human-centric as the scams themselves, focusing on awareness, verification, and robust security protocols. Let’s explore several strategies that can shield your business from these attacks.
Cybersecurity Awareness Training
Regular cybersecurity awareness training sessions for employees are crucial. These should focus on identifying the signs of BEC scams, such as unexpected requests for money transfers or sensitive information. Empower your team with the knowledge to spot red flags, like email addresses that almost match known contacts, or urgent and unusual requests.
Additional Verification
Always verify requests for changes in payment or account information through a secondary channel. For example, if you receive an email request to change a vendor’s banking details, confirm it with a phone call to a known number, not the one provided in the email.
Email Authentication Protocols
Start by setting up email authentication protocols like SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance). These protocols help verify the authenticity of the sender’s identity, making it harder for scammers to spoof your organization’s email domain or impersonate a trusted contact.
Robust Email Security
Use advanced email security solutions that can filter out phishing messages and suspicious emails. These tools often use artificial intelligence and machine learning to detect anomalies in email patterns, helping to catch fraudulent emails before they reach your inbox.
Multi-Factor Authentication
MFA adds an extra layer of security to your email accounts and other systems. When implemented correctly, MFA can prevent unauthorized access, adding a crucial barrier against email account compromises even if a scammer gets a password.
Regular System Updates
Keep all your systems and software up-to-date. Attackers often exploit vulnerabilities in outdated software. Regular updates can close these security gaps, making it harder for attackers to infiltrate your systems.
Monitoring Financial Transactions
Keep a close eye on your business’s financial transactions. Look out for irregularities like unusual invoice amounts or changes in vendor payment details. Regular reviews can help catch fraudulent activities early.
Reporting and Response
If you detect a fraudulent transfer, act immediately. Contact your financial institution to request a recall of funds and file a complaint with the Internet Crime Complaint Center (IC3). Quick action is critical in improving the chances of recovering lost funds.
Conclusion on Email Scams
While the strategies outlined provide a strong foundation for defense, the complexity and ever-evolving nature of BEC scams call for ongoing expert guidance. This is where OSIbeyond comes in.
As a managed IT and cybersecurity service provider, we specialize in equipping businesses like yours with the tools and expertise needed to keep BEC scams at bay. Our team can help fortify your defenses with tailored solutions, ensuring that your business remains secure in the face of these sophisticated threats.
Don’t let your business be an easy target. Contact OSIbeyond today, and let’s work together to safeguard your business’s future.