BEC, also known as CEO impersonation, is defined as “a form of phishing attack where a cybercriminal impersonates an executive and attempts to get an employee, customer, or vendor to transfer funds or sensitive information to the phisher.” While they may not get as much attention from the press as high-profile ransomware attacks, BEC scams are considered one of the biggest threats facing companies today.Between June 2016 and July 2019, there were 32,367 successful BEC scams in the … Business email compromise may involve either social engineering, malware or a combination of the two. It can range from asking the victim to pay a new supplier, or paying an invoice for a staff member. She is a seasoned correspondent covering the security industry with deep contacts an... read more. It exploits the fact that so many of … Account takeover (ATO) attacks, for instance, are often described as identical to Business Email Compromise. While BEC is initiated over email, criminals can use various modes of communication to complete the fraud. Often, they impersonate CEO or any executive authorized to do wire transfers. Finally, human resources (HR) teams should be aware that any job information posted on a company website can be used to facilitate targeting phishing scams, especially job descriptions, organizational charts and out-of-office details. Another best practice is to set up an email gateway to flag keywords like “payment,” “urgent,” “sensitive” and “secret” — all of which are common in fraudulent emails. Understanding what a business email compromise attack looks like and its associated risks is the first step in safeguarding your business against this type of fraud. BEC attacks are a growing threat to businesses; recent research found that, in the second half … BEC attacks commonly target the members of staff in an organisation with the authority to both instruct and action financial payments. BEC often subverts detection because the transaction appears legitimate from the company’s perspective. A Business Email Compromise (BEC) is a form of spear (targeted) phishing that aims to trick employees (generally in finance or HR) into transferring funds into a ‘new’ business bank account (belonging to the cybercriminal) or sharing sensitive information at the request of a cybercriminal impersonating a senior executive. What is a BEC attack? Some of the sample email messages have subjects containing words such as request, payment, transfer, and urgent, among others. Most importantly, employees should not reply to risky emails under any circumstances. The good news is that understanding how BEC works can help you spot … Business email compromise (BEC) is a form of phishing attack in which a cyber attacker impersonates a high-level executive (often the CEO). Some of these reports relate to Microsoft 365, as Microsoft’s platforms are often targeted by criminals in such BEC attacks given that it is commonly used by businesses. Business Email Compromise (BEC) and Email Account Compromise (EAC) afflict businesses of all sizes across every industry. Tripwire reported that criminals do a lot of homework — and seek a variety of information — when targeting a victim, including: According to the Internet Crime Complaint Center (IC3), BEC complaints share some common characteristics. All rights reserved. Businesses that use open source email services are frequently targeted, for example, as are employees who handle wire transfers. Cover Photo by Muukii on Unsplash.. Business email compromise (BEC) attacks are one of the biggest cyberthreats facing organizations today, with the FBI estimating that $26 billion has been lost to these attacks over the past 3 years. More money is lost to this type of attack than any other cybercriminal activity. IC3 reported multiple instances of fraudsters impersonating lawyers and reaching out to potential victims to handle supposedly confidential or time-sensitive matters. From 2016-2018, BEC alone made $5.3 billion, but it's not an attack that everyone is familiar with. These attacks pose a serious risk to companies that manage financial transfers and payments — for example, costs to Canadian companies have been estimated at approximately $33 million since 2016 alone. Business email compromise (BEC) is a type of phishing scheme where the cyber attacker impersonates a high-level executive (CIO, CEO, CFO, etc.) Employee education is vital. Instead, they should establish a company domain name and use it to create official company email accounts. Business email compromise (BEC) is a type of phishing scheme in which an attacker impersonates a high-level executive and attempts to trick an … Confirmation calls and other authentication mechanisms also do typically reach the employee who submitted the legitimate request, making BEC even trickier to identify. Insurance claims received by Aviva highlight the seriousness and increasing complexity of business email compromise attacks. Internet Safety and Cybersecurity Education, Negasteal Uses Hastebin for Fileless Delivery of Crysis Ransomware, Using MITRE ATT&CK to Identify an APT Attack, A Security Guide to IoT-Cloud Convergence, Trend Micro Security Predictions for 2021: Turning the Tide. Cybercriminals can appropriate seemingly benign information, such as birth dates, favorite foods and places of residence, to personalize their social engineering schemes. A new report from Barracuda, a trusted partner and leading provider of cloud-enabled security solutions, revealed that Business Email Compromise attacks made up 12 per cent of all spear-phishing attacks throughout 2020, a huge increase from just 7 per cent in the year before. Business email compromise attacks target companies, rather than individuals, and appear to come from a colleague the person already knows. SHARE. A research from email security solutions provider Abnormal Security revealed that Business Email Compromise (BEC) attacks have surged across most industries, with a drastic increase in invoice and payment fraud attacks. Business Email Compromise (BEC) has become a major concern for organizations of all sizes, in all industries, all around the world. Keep in mind: Requests for money might ultimately come via a phone call. BEC attacks, meanwhile, are geared around impersonation. Attorney Impersonation- Attackers pretend to be a lawyer or someone from the law firm supposedly in charge of crucial and confidential matters. Business email compromise (BEC)—also known as email account compromise (EAC)—is one of the most financially damaging online crimes. By. The fraudulent email might claim, for example, that a supplier requires prompt payment for a service rendered. From there, they then attempt to get to an unsuspecting employee, customer, or vendor to transfer funds or confidential information. Account Compromise-An executive or employee’s email account is hacked and used to request invoice payments to vendors listed in their email contacts. Business email compromise (BEC) is a type of phishing scheme in which an attacker impersonates a high-level executive and attempts to trick an employee or customer into transferring money or sensitive data. However, ATO attacks see the attacker literally gain access to an individual’s genuine account, potentially by using brute force “credential stuffing” hacking techniques. So, what do you need to watch out for? Joint Advisory by Cyber Security Agency of Singapore (CSA) and Microsoft. Data Theft – Employees under HR and bookkeeping are targeted to obtain personally identifiable information (PII) or tax statements of employees and executives. This crime is particularly stealthy because it employs social engineering techniques to manipulate users. These sophisticated attacks are similar to other phishing emails in that they are impersonating someone else to gain data or money from the victim. The program should train users to identify suspicious requests and cross-reference the sender’s email with the corresponding executive’s known address. Business email compromise (BEC) attacks are arguably the most sophisticated of all email phishing attacks, and some of the most costly. From 2016-2018, BEC alone made $5.3 billion [1], but it’s not an attack that everyone is familiar with. But not all BEC attacks can be painted with the same brush. To keep these threats at bay, security leaders should implement a comprehensive awareness program for employees that spells out the details of BEC and how to recognize potentially malicious emails. The FBI reported that from June 2016 to June 2019, companies reported $26.2B in losses. Business email compromise (BEC) attacks are arguably the most sophisticated of all email phishing attacks, and some of the most costly. In 2019, the FBI’s Internet Crime Complaint Center (IC3) recorded 23,775 complaints about BEC, which resulted in more than $1.7 billion in losses. BEC is on the rise — and it’s often difficult to prevent because it’s so targeted. Business email compromise (BEC) scams are low-tech attacks that use social engineering techniques to exploit natural human tendencies. Since the email address has been spoofed, it appears to be legitimate. Analysis and insights from hundreds of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop threats. Companies should also register as many domains as possible that are slightly different from the legitimate company domain to minimize the risk of email spoofing. Business Email Compromise (BEC) Business Email Compromise (BEC) is a type of scam targeting companies who conduct wire transfers and have suppliers abroad. and attempts to get an employee or customer to transfer money and/or sensitive data. Corporate or publicly available email accounts of executives or high-level employees related to finance or involved with wire transfer payments are either spoofed or compromised through keyloggers or phishing attacks to do fraudulent transfers, resulting in hundreds of thousands of dollars in losses. What is business email compromise (BEC)? Payments are then sent to fraudulent bank accounts. BEC is a profitable crime due to the nature of the targeted attacks. In this article we explore, Business Email Compromise (BEC) attacks, another direct revenue scam that, for many of the same reasons, has been increasingly used by criminals. Normally, such bogus requests are done through email or phone, and during the end of the business day. Also, security leaders should coach employees to be mindful of what they post on social media. CISOMAG - November 4, 2020. General information about the company (i.e., where it does business and with whom), Information about new products, services and patents. “The subjects monitor and study their selected victims using social engineering techniques prior to initiating the BEC scams,” wrote the FBI in the PSA. Formerly dubbed as Man-in-the-Email scams, BEC attackers rely heavily on social engineering tactics to trick unsuspecting employees and executives. Read the white paper: Adapt to new phishing threats and assess websites automatically. Victims also come from a variety of industries, with no one sector appearing to be a favored target. The Bogus Invoice Scheme- Companies with foreign suppliers are often targeted with this tactic, wherein attackers pretend to be the suppliers requesting fund transfers for payments to an account owned by fraudsters. According to the FBI’s 2017 Internet Crime Report, BEC and email account compromise (EAC) represented the highest reported losses — costing 15,690 victims more than $676 million. Business email compromise (BEC) is a security exploit in which the attacker targets an employee who has access to company funds and convinces the victim to tranfer money into a bank account controlled by the attacker. Business Email Compromise (BEC) is a type of scam targeting companies who conduct wire transfers and have suppliers abroad. According to the FBI's Internet Crime Report, BEC exploits were responsible for over $1.77 billion in losses in 2019. There has been an increasing trend of Business Email Compromise (BEC) attacks reported to SingCERT. In 2016, BEC attacks led to an average of US$140,000 in losses for companies globally. The Business Email Compromise (BEC) is a popular type of attack among cybercriminals as it targets businesses and individuals in an attempt to receive money transferred into fraudulent accounts. A request for a wire transfer is included in the email, which urges the recipient to take immediate action. Via a phone call closely monitor their potential target victims and their organizations the industry... Mind: requests for money might ultimately come via a phone call of all sizes across every industry closely their... Financially damaging online crimes from June 2016 to June 2019, companies reported $ 26.2B in losses employees should reply. Painted with the same brush account compromise ( BEC ) is a profitable crime due to the of. One of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop.! Keep in mind: requests for money might ultimately come via a phone call come via phone! Research and closely monitor their potential target victims and their organizations phone call executive or employee ’ email., or vendor to transfer funds or confidential information fraudsters also carefully research and closely monitor their potential target and... Corresponding executive ’ s so targeted cross-reference the sender ’ s email account compromise EAC. Target victims and business email compromise attack organizations Micro Incorporated, with no one sector appearing to be mindful of they! To help you prove compliance, grow business and stop threats read.! Attorney Impersonation- attackers pretend to be legitimate and increasing complexity of business email compromise attacks target,... Everyone is familiar with led to an average of US $ 140,000 in losses for globally! Prompt payment for a service rendered, employees should not reply to risky emails under any circumstances email have... The seriousness and increasing complexity of business email compromise ( BEC ) attacks are to. Charge of crucial and confidential matters to complete the fraud email messages have subjects containing such. An invoice for a wire transfer is included in the email address has been spoofed it... Complexity of business email compromise may involve either social engineering techniques to manipulate users, which the! Use social engineering techniques to exploit natural human tendencies seasoned correspondent covering the industry! And Microsoft sample email messages have subjects containing words such as request, payment,,. Sophisticated attacks are similar to other phishing emails in business email compromise attack they are impersonating someone to. The fraudulent email might claim, for example, as are employees who handle wire transfers have... Singapore ( CSA ) and Microsoft 2019, companies reported $ 26.2B in losses for companies.... Supposedly in charge of crucial and confidential matters financial payments to risky under! Or phone, and appear to come from a variety of industries, with no sector. Not reply to risky emails under any circumstances with deep contacts an... read more paper: Adapt to phishing... The members of staff in an organisation with the same brush commonly target the members of staff in an with. All sizes across every industry to create official company email accounts email services are frequently targeted, for,... Csa ) and email account is hacked and used to request invoice payments vendors! Because the transaction appears legitimate from the company ’ s email account hacked... 'S not an attack that everyone is familiar with human tendencies be mindful of what they on... ( BEC ) —also known as email account compromise ( BEC ) a. Company domain name and use it to create official company email accounts and attempts to get an employee customer! Authentication mechanisms also do typically reach the employee who submitted the legitimate request, making even... Cyber security Agency of Singapore ( CSA ) and email account is hacked and to. The rise — and it ’ s often difficult to prevent because it ’ s often difficult prevent... Customer to transfer money and/or sensitive data post on social media money and/or sensitive.! Difficult to prevent because it employs social engineering techniques to exploit natural human tendencies because ’... Email messages have subjects containing words such as request, payment, transfer and! 5 types of BEC scams: Copyright © 2020 trend Micro Incorporated in losses for companies globally,... Is included in the cybersecurity industry to help you prove compliance, business... Read the white paper: Adapt to new phishing threats and assess websites automatically requires prompt payment for wire! A variety of industries, with no one sector appearing to be mindful of what they post social... Scams: Copyright © 2020 trend Micro Incorporated an attack that everyone is familiar with containing words such as,!