Business email compromise (BEC) is a hacking cyber-attack that impersonates a bona fide and known email address for fraudulent intent. Spoofing often uses the CEO approach, where hackers send emails with specific instructions purportedly from the CEO to target staff or even third parties the company deals with.
The instructions, which are prima facie genuine and appear to come from a trusted source demand urgent action usually involving funds transfer may contain a malicious attachment or a phishing link. Business email compromise attacks cost businesses a whopping $5 million per breach or nearly $2 billion to the industry per year, and as 2022 progresses, we can only assess trends for emerging vectors.
Contents
Phishing is the number one most preferred cyber-attack method fraudsters use to scam businesses and according to industry surveys, 96% of these attacks come in via emails. Other cybersecurity threat reports indicate that at least one user in 86% of surveyed organizations clicked a phishing link, while BEC attacks account for 90% of data breaches.
A growing trend is the new vendor email compromise through an account takeover instead of the traditional spoofing. The attack on tech giants Facebook and Google that cost them over $120 million paid against fake invoices presented through impersonator email illustrates the sophistication of this crime and the new trajectory.
Recent research shows a steady rise in email phishing attacks since 2020, when the global COVID-19 pandemic started by about 7.3% in some surveys. Analyzing past cybersecurity threat trends, experts discovered that phishing activities escalated during times of large-scale crises such as natural calamities and now the pandemic to exploit the lack of effective resource allocation.
There will be scams targeting urgent medical supply channels, vendor email compromise, and multiple agency impersonations, as is already evident from the 21,285 complaints lodged in the US alone by the close of 2021. Even governments are not safe at such times, as the Puerto Rico officials learned the hard way after transferring $2.6m through BEC instructions in the aftermath of the 2020 massive earthquake.
The coronavirus pandemic spawned a new organizational structure out of necessity to continue operations while keeping workers safe. Systems changed to have employees work remotely from home, and this meant everything, including meetings and instructions moved online, creating a very conducive environment for cybercriminals.
In recent surveys, 80% of security experts reported increased security threats since adopting remote work, while 62% noticed an escalated phishing campaign over the same period. The security challenge arises from IT departments’ inability to enforce security measures away from the company premises while employees working from their homes are likely to be careless.
When an organization handles frequent cash transactions and specially wired transfers online, it’s prudent to consider taking an insurance cover against cybercrime. An insurance policy ensures the organization puts in place sufficient security features to qualify for cover and may compensate for losses suffered from a business email compromise.
In 2021 Treasure Island, a homelessness charity without cybercrime insurance, suffered a double loss when infiltrated by cybercriminals who took off with $625,000 and the Attorney’s office declined to investigate the BEC scam. Hackers breached the bookkeeper’s email account, altered a legitimate invoice by inserting different bank details, and rerouted funds to their accounts.
The Scouler company acquisition scam demonstrated how fraudsters use breached internal email accounts to manipulate staff trust. Hackers create impersonator accounts that mimic the actual CEO’s email account to send what appears to be official communication with messages that bear both authority, urgency, and emotive language to blind the target employee.
Every employee wants to demonstrate efficiency and dedication when given a special assignment and will not stop to call back for reconfirmation but instead proceed to action. Such was the case that the target employee at Scouler, upon assuming the email was from his CEO, proceeded to transfer $17.2m to an overseas account set by the scammers.
The trend in business email compromise (BEC) attacks follows a common pattern – once in, multiple and diverse attempts follow targeting, money, data, IP, or identities. If they got in once, they would always find a way back in another time, possibly with more dire consequences.
The great Toyota Corporation had been hit previously in Australia and Japan a month apart the same year when the Zaventem branch in Belgium lost $37m to a BEC fraud. It is good practice for organizations to re-evaluate their cybersecurity across all departments and branches overseas the first time they get hit and not treat that as an isolated case where it happens to forestall future attempts.
A couple of years back, the FBI’s Internet Crime Complaint Center (IC3) sent out an advisory warning to the public about an increase in gift card scams, a form of business email compromise crime. The gift card scam escalates around holiday times and targets specific demographics to gain maximum impact for the duration of that season.
The BEC element in this fraud starts with a spoofed email supposedly from a recognized leader known to the victim urging the purchase of gift cards for some mutual course. Further instructions include sending back pictures of serial numbers that the scammers then use to purchase whatever items they wish.
A new and least understood cybersecurity threat is emerging in social engineering attacks and has already had some recorded successes in BEC scams on organizations. Known as the deep fake, the attack goes beyond passive communication channels and, with the aid of AI simulation, assumes active participation.
A scammer sends in a BEC email purportedly from the CEO as usual but also immediately follows up with a voice call to confirm its contents, and using AI technology sounds exactly like the genuine CEO. This tactic was successfully used against the CEO of a UK energy company who was so convinced he was speaking to his boss that he immediately wired out $243,000 without hesitation.
Intro: Thesparkshop.in:product/flower-style-casual-men-shirt-long-sleeve-and-slim-fit-mens-clothes Welcome to The Spark Shop, where style meets sophistication! If you’re looking for…
Adelaide, renowned for its lively festivals, historic architecture, and lush parklands, provides an enriching environment…
Introduction The Baby Girl Long-sleeve Thermal Jumpsuit from TheSparkShop.in is a top choice for parents…
Worldwide, millions of people go into sudden cardiac arrest each year. Studies show that their…
Within the realm of contemporary music merchandise, few groups have left a more profound impact than Ghost,…
Innovation is essential in the field of HVAC (Heating, Ventilation, and Air Conditioning) systems to…