Even before the COVID-19 pandemic, business email compromise (BEC) has been one of the most pervasive forms of cybercrimes. In fact, from 2013 to 2019, there were more than 70,000 victims of BEC scams worldwide.
According to the FBI, some of the most recent examples of pandemic-related BEC scams capitalize on coronavirus-related situations and reasons to ask for payments and change standard payment methods. And with many businesses deploying a work from home setup, hackers are sure to pounce to take advantage of staff whose network security is not as strong as those in offices.
What is BEC?
Business email compromise is a type of cyberattack that involves hacking into a company’s email account, impersonating its C-level executives (e.g., the CEO), and defrauding its business partners, employees, vendor partners, and clients. There are different types of BEC, all of which aim to get targets to wire money to the fraudster’s account.
Hackers behind these scams don’t discriminate; from juggernauts Facebook to Google to small retail businesses in New York, businesses with weak email security systems and staff that are poorly trained in cybersecurity are all targets.
Pulling off a BEC scam is no easy feat. It requires research, planning, and patience, which is why it’s so effective and lucrative. Here’s how it works.
Common steps to business email compromise
Searching for a target
A BEC scammer will do extensive research by scouring publicly available information on company websites and professional social networking pages such as LinkedIn. Once they’ve chosen a target, they will dig deeper by looking into its employees’ profiles and learn the names of their colleagues and CEO.
Compromising target’s email accounts
After identifying a target, scammers will attempt to gain access to the email account of high-ranking executives such as the CEO. They will compromise email accounts by using a variety of methods, including spear phishing, keylogging, or malware.
Spoofing a domain
Alternatively, hackers may not impersonate a company CEO and simply send a fraudulent email to employees using a spoofed domain. For example, a hacker may pretend to be someone from PayPal and send an email to an employee using this address: johndoe@PaypaI.com. At first glance, the email address will seem legitimate, but a much closer look will reveal that “PaypaI” is spelled with a capital “I” instead of a lowercase “l”.
Spying on the target
The hacker will take the time to observe the activities and behavior of the hacked email account’s owner, which includes studying the workflows and the communication patterns between, for example, the CEO and the head of finance. This may take weeks or months, with the ultimate goal of selecting the most ideal employee that can be tricked into wiring money to the hacker’s account.
Executing the scam
After learning some crucial information within the organization, the hacker will execute the scam. The hacker finally sends an email to a key employee, asking to urgently wire funds to a fraudulent bank account.
Types of business email compromise
There are several ways email accounts can be compromised. Here are some of the most common:
Fake boss email or CEO fraud
This is when the supposed boss of the company asks staff to transfer money to a fraudulent bank account. A fake boss may not always ask for cash; these scams may also involve asking an employee to send the details of gift cards worth thousands of dollars.
Fake attorney scam or attorney impersonation
This is a type of user impersonation in which a hacker compromises a legal firm’s email account. The fake attorney then sends an email to the firm’s clients about a confidential and time-sensitive transaction, which typically includes instructions to wire a certain amount of money. This scam can also be done by phone calls or SMS.
Fake invoice scam
This scheme involves impersonating a company’s accountant or account manager and using a legitimate invoice, altering the bank account number in it, and redirecting payments to the hacker’s bank account. As this involves the use of legitimate invoices, it may be difficult to detect.
This involves compromising a company’s HR staff to gather employees’ information such as email addresses, phone numbers, passport numbers, bank account numbers, and other personal data to be used for future scams.
Also on the rise are HR scams in which hackers pretend to be a company employee contacting the HR department and requesting a change of mailing address or direct deposit information where paychecks are to be sent.
How to protect against BEC
Protecting against BEC requires a good balance of employee vigilance, adequate cybersecurity measures, and security training. You can bolster your security measures even while most of your employees are working from home.
Train staff to be vigilant about urgent money transfer requests, unexpected instructions to change payment information and methods, and other similar requests to transfer funds. Warn them to be doubly cautious about performing sensitive transactions like money transfers, and as much as possible, always verify the identity of the requester either by phone or via video call.
Another way to protect against BEC is to enable multifactor authentication (MFA). MFA provides an additional layer of security on top of passwords before granting access to email accounts and company systems. And if you suspect that you’ve been victimized by a BEC scam, call the authorities and the relevant financial institutions immediately.