BEC attacks: A business risk your insurance company is unlikely to cover
The growing threat of BEC attacks
Business email compromise (BEC) attacks can cost an organization millions of dollars, and the threat is growing as more business activity takes place online. Many BEC crimes are preventable — but despite growing awareness, organizations continue to fall victim to clever social engineering tactics that cybercriminals use.
Organizations that buy cybersecurity insurance often feel peace of mind that they can transfer this risk. But, as one company found out (to the tune of $6.9 million), having an insurance policy doesn’t necessarily mean you’re covered against BEC attacks.
BEC is typically perpetrated via email and involves user action, which means user awareness and training still needs to be a major component of your risk management strategy.
Two year's worth of NIST-aligned training
Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.
BEC attacks are a costly crime
BEC attacks are typically highly targeted. While some BEC scammers are after sensitive data, direct financial gains are a more common motive. Scammers use a variety of tactics to impersonate the CEO or another individual with authority within the organization, either by taking over the person’s email or by spoofing the address. The scammer then emails a bogus financial request, such as an urgent wire transfer to an overseas account.
There are many variations of this scam. For example, an accounts payable employee may receive an email from an impersonated vendor with a bogus invoice and an update to the vendor’s banking information so payments can be redirected to the scammer’s account. In the last couple of years, another variation has involved requests for large batches of electronic gift cards.
BEC attacks are one of the costliest crimes enabled by the internet. In 2019, BEC victims reported more than $1.7 billion in total losses to the FBI. That’s about half of the total losses reported to the agency for the year, according to the FBI’s 2019 Internet Crime Report.
A few other interesting stats from FBI:
- Identified global exposed losses grew by 100 percent between May 2018 and July 2019
- A total of $26.2 billion in BEC losses were reported just in three years (between June 2016 and July 2019)
- BEC scams carried through two popular (unidentified) cloud-based email services resulted in a total of $2.1 billion in losses over a period of about five years
Here’s just a couple of real-life examples of BEC attacks in 2019:
- A European subsidiary of Toyota Boshoku Corp., which manufactures car parts, reportedly lost more than $37 million. Attackers convinced someone with financial authority at the company to change wire transfer account information, redirecting the funds to the scammers
- Cabarrus County in North Carolina lost more than $1.7 million after scammers impersonated a contractor working on a school project and contacted county and school district officials. The scammers updated the legit vendor’s account information and then sent an invoice for a “missed” $2.5 million payment (the county later recovered some of the money)
Protecting your organization
With so much at stake and the threat of BEC attacks rising globally, you can’t afford not to protect your business. The best ways to do that include:
- Using anti-malware solutions to harden the access into your network
- Improving your email security with authentication and verification capabilities such as DMARC (domain-based message authentication, reporting and conformance) and DKIM (DomainKeys Identified Mail) to protect against spoofing
- Teaching everyone in your organization from entry-level employees to the C-suite about phishing, social engineering and other threats
- Implementing tighter controls around your financial processes (such as dual approvals for large transactions)
Beware insurance gaps
Demand for cybersecurity insurance is growing as more organizations look to transfer some of their financial risk. While this is a prudent step, make sure you know not only what your policy covers but also any potential loopholes. Even when it looks like your company is covered, it doesn’t mean insurance will pay for BEC losses, as trading firm Virtu Financial recently learned.
Virtu Financial reportedly said that it lost $6.9 million in a BEC attack after scammers took over the email account of a company executive and sent requests to the accounting department for fraudulent wire transfers to China. But the cybersecurity insurance carrier refused to pay for the claim, saying that the loss was the result of employee action rather than unauthorized access into the company’s computer system.
In August 2020, Virtu filed a lawsuit in a federal court in New York against the carrier, AXIS Insurance Co., for breach of contract. And Virtu is not the first company to sue its cybersecurity insurance carrier for refusing to pay for a claim.
See Infosec IQ in action
Training your end users
Since BEC attacks always involve end-user action, implementing employee awareness and training is an effective way to mitigate your risk. Your program should include education about social engineering, phishing and spear-phishing, basic cybersecurity hygiene and best practices, among other things. It’s also a good idea to conduct periodic phishing simulation campaigns to learn how your end-users are applying their knowledge in real-world scenarios.
A training program is not a “one and done” approach — it needs to be an ongoing practice, starting from the time you onboard new hires and including all levels of the organization. Know your KPIs and measure the results of your training so you can constantly improve your program.
Sources
2019 Internet Crime Report Released, FBI
Business Email Compromise The $26 Billion Scam, FBI
Toyota Parts Supplier Hit By $37 Million Email Scam, Forbes
North Carolina county falls for BEC scam, to the tune of $1,728,083, Naked Security (Sophos)
BEC Scam Costs Trading Firm Virtu Financial $6.9 Million, BankInfoSecurity
In this Series
- BEC attacks: A business risk your insurance company is unlikely to cover
- Keeping your inbox safe: How to prevent business email compromise
- The best 9 phishing simulators for employee security awareness training (2023)
- How to set up a phishing attack with the Social-Engineer Toolkit
- Extortion: How attackers double down on threats
- How Zoom is being exploited for phishing attacks
- 11 phishing email subject lines your employees need to recognize [Updated 2022]
- Consent phishing: How attackers abuse OAuth 2.0 permissions to dupe users
- The state of BEC in 2021 (and beyond)
- Why employees keep falling for phishing (and the science to help them)
- Phishing attacks doubled last year, according to Anti-Phishing Working Group
- The Phish Scale: How NIST is quantifying employee phishing risk
- 6 most sophisticated phishing attacks of 2020
- JavaScript obfuscator: Overview and technical overview
- Malicious Excel attachments bypass security controls using .NET library
- Phishing with Google Forms, Firebase and Docs: Detection and prevention
- Phishing domain lawsuits and the Computer Fraud and Abuse Act
- Phishing: Reputational damages
- Spearphishing meets vishing: New multi-step attack targets corporate VPNs
- Phishing attack timeline: 21 hours from target to detection
- Overview of phishing techniques: Brand impersonation
- Cybercrime at scale: Dissecting a dark web phishing kit
- Lockphish phishing attack: Capturing android PINs & iPhone passcodes over https
- 4 types of phishing domains you should blacklist right now
- Email attack trend predictions for 2020
- 4 tips for phishing field employees [Updated 2020]
- How to scan email headers for phishing and malicious content
- Should you phish-test your remote workforce?
- Overview of phishing techniques: Fake invoice/bills
- Phishing simulations in 5 easy steps — Free phishing training kit
- Overview of phishing techniques: Urgent/limited supplies
- Overview of phishing techniques: Compromised account
- Phishing techniques: Contest winner scam
- Phishing techniques: Expired password/account
- Overview of Phishing Techniques: Fake Websites
- Overview of phishing techniques: Order/delivery notifications
- Phishing technique: Message from a friend/relative
- [Updated] Top 9 coronavirus phishing scams making the rounds
- Phishing technique: Message from the boss
- Cyber Work podcast: Email attack trend predictions for 2020
- Phishing techniques: Clone phishing
- Phishing attachment hides malicious macros from security tools
- Phishing techniques: Asking for sensitive information via email
- PayPal credential phishing with an even bigger hook
- Your 2020 tax scam training guide
- Abusing email rules
- 8 phishing simulation tips to promote more secure behavior
- Top types of Business Email Compromise [BEC]
- Be aware of these 20 new phishing techniques
- Phishing in academic environments
- Phishing-as-a-Service
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
