Business email compromise (BEC) is a specialized type of phishing and social engineering attack resulting in losses of $5.3 billion worldwide. In this article, we’ll show you how to detect BEC and outline five signs your company is vulnerable to attack.
How to Detect Business Email Compromise (BEC)
Business email compromise is a type of communication that pretends to be from a trusted source; although it has “email” in its name, this could include text messages, instant chat messages and sometimes even phone calls.
BEC began as an attack on large corporations with foreign suppliers, where a scammer would send a phony email invoice posing as a third-party vendor and request a wire transfer. The accounts payable department may see the name (which may look legitimate but contain a variation on spelling) and pay the bill.
Then, another form of BEC began to pop up during tax time. In this scam, they would send an email or urgent message to accounting and seem to be from a CEO or other high-level executive requesting W-2s. These W-2s are very valuable on the black market as they can be used to file phony tax returns or create new identities.
Now there is another form that is somewhat of a combination of the two: a personal email or chat from a senior employee that requests funds or information directly.
The criminals behind BEC get much of their info via publicly available information, perhaps even the company website itself. This includes names of employees, news about travel or expansion plans, or other seemingly innocuous details. They may also do a search of social media profiles and glean other info to make their impersonation seem legit.
Then, they will strike, taking over an email account or social media profile if they can, or creating a phony one that looks similar. Many times they will start out slow, building trust before initiating their scam.
This type of technique has been successful, compromising some of the largest corporations, including Tillage Commodities Fund ($6 million), Ubiquiti Networks ($47.5 million), and FACC ($47 million); toy company Mattel almost lost $3 million, but the transfer was blocked at the last minute.
Five Signs Your Company Is Vulnerable to Attack
- You don’t have a strong internal security policies.
Is there a document that contains a set of protocols about how to deal with BEC or other scams? Is there a phone number of an IT person that employees can call?
- You don’t have your own branded email.
If you have an @yourcompany.com email system, it adds a basic level of protection against BEC. Any emails received that pretend to be from someone in the company but aren’t can be easily flagged.
- You don’t have two-factor authentication.
Two-factor authentication is an additional layer of security beyond just inputting a password (oftentimes this is a code that is sent via text message). Two-factor authentication can make hacking email accounts and impersonating executives much more difficult.
- You don’t have a security awareness training program.
Most employees likely haven’t heard of BEC or, for that matter, phishing. Even if they have, it’s likely they don’t know what to do in the event they have received a suspicious email. An educational program should be mandatory for the entire organization.
- A high percentage of employees fail real-world testing.
To know whether or not employees are following protocol, it’s a good idea to send out phony phishing emails. These should mimic BEC scams, pretending to be a supervisor and asking for W2’s, for example. If too many people fall for the simulated scam, they’re likely to fall for a real one.
Preventing BEC With Security Awareness Training
Security awareness training is one of the best ways to address the challenges raised in numbers 4 and 5 above. InfoSec Institute’s SecurityIQ awareness training platform includes several new BEC awareness training resources to help you combat this growing threat. Resources include:
- 20 BEC phishing templates: Use these templates to send your employees realistic attack simulations to increase their awareness of BEC attacks. Attack methods simulated include fraudulent wire transfer and payroll data requests.
- BEC simulation reply tracking: This new feature tracks all replies to your BEC simulations, helping you identify vulnerable employees who need additional security awareness training.
- Sensitive data detection: SecurityIQ reply tracking also includes pattern recognition, allowing you to determine what type of data your employees shared in failed simulations.
- BEC awareness training module: This interactive module describes what BEC scams are, outlines the risks of BEC attacks and provides suggestions for BEC scam defense.
To request a free 30-day SecurityIQ trial, visit securityiq.infosecinstitute.com or call 866.471.0059.