Phishing scams remain among the most prevalent cyberthreats today. In fact, the frequency of incidents only increased during the pandemic as scammers preyed on the public’s fear and desire for safety and information. Among the several types of phishing attacks, business email compromise (BEC) scams are among those you should be especially wary of, especially if you’re a business owner.
What is a BEC scam?
It is a specialized phishing attack that deliberately targets businesses. According to data from the FBI, BEC scams were the costliest cyberthreat in 2020, accounting for $1.8 billion of the $4.2 billion lost to cyberattacks that year. A BEC scam differs from conventional phishing campaigns in the following ways:
Conventional phishing campaigns are usually launched to steal sensitive information or spread malware. BEC scammers usually want money, but some of them may steal data instead.
Unlike conventional phishing emails that are sent to as many potential victims as possible, BEC scams are sent to select individuals. These are usually CEOs and other personnel who have the authority to make and authorize bank transfers.
How does a BEC scam work?
In a BEC scam, the perpetrators send the victim an email, pretending to be someone the target trusts. This could be the recipient’s superior, colleague, client, or vendor. The scammers then instruct the victim to wire money to a bank account they have set up in advance.
To make their scheme convincing, BEC perpetrators employ a variety of impersonation and social engineering tactics. One commonly used strategy is domain spoofing, which entails creating fake email accounts with domains that look similar to legitimate company domains. For instance, scammers may use the fake email address “firstname.lastname@example.org” instead of the legitimate “email@example.com.”
To gain their victim’s trust, perpetrators try to sound like the person they’re pretending to be as much as possible. For instance, they may use the victim’s nickname in the email if the victim and the purported sender are close associates. To do this, perpetrators usually research their targets extensively beforehand by gaining access to the victim's email or mining information from the target’s social media accounts.
What are the different types of BEC scams?
There are five major types of BEC scams:
- Account compromise – scammers take control of an employee’s email account and use it to request payments from vendors
- Data theft – targets HR and bookkeeping personnel to steal sensitive information about the company, which may then be used for future BEC attacks
- Fake invoice – scammers pretend to be the victim’s suppliers and request for payment to be sent to a fake bank account
- CEO fraud – scammers pose as the company’s CEO or one of its executives, and then instruct the victim to wire money to a specified account
- Attorney impersonation – scammers pretend to be the company’s legal representatives and request money or sensitive information
How can you prevent BEC scams?
To stop BEC attacks, follow these tips:
Educate your team
Your staff can contribute much to your defense against BEC scams. Educate them on steps to detect fraudulent emails, such as carefully examining the sender’s domain or the message’s body for spelling and grammatical errors.
Limit money transfer capabilities
You can reduce the chances of a successful BEC scam by limiting the number of people who can perform or authorize money transfers. Make sure these personnel are trained to identify and stop BEC attacks.
Verify all money transfer requests
Make it a policy for staff to verify money transfer requests by contacting the purported email sender using a communication medium other than email (e.g., phone).
Automate filtering and detection
BEC emails are hard to detect using basic filtering solutions because they normally do not contain malware or malicious links. It's best to invest in newer filtering tools, as they utilize machine learning and artificial intelligence to identify potentially problematic messages.
Be mindful of what you share online
Do not post sensitive details, such as information about your company or job, on social media, as scammers can use these to steal your login credentials or impersonate you and your colleagues.
A BEC scam can lead to significant losses to your company, so you must take steps to prevent it from succeeding or happening in the first place. At Quicktech, our team of experts can boost your defenses against BEC attacks and other cyberthreats by helping you implement effective cybersecurity solutions.
Learn what cybersecurity solutions you need to protect your business by downloading this free eBook today.