What’s the biggest cyber threat that businesses face? It isn’t ransomware, even though that tends to grab all of the headlines. It’s business email compromise (BEC). Sometimes called email account compromise (EAC), BEC can lead to potentially devastating business losses. Unfortunately, BEC’s chameleon-like nature makes it tricky for most victims to spot. That’s a serious problem because this attack can do massive damage to a company’s revenue, reputation and productivity quickly. This look inside the complicated world of BEC will help you develop and maintain a strong defensive posture against today’s most expensive cyber threat.
Excerpted from The Comprehensive Guide to Avoiding Business Email Compromise DOWNLOAD IT>>
Urgent payment required or invoice scams
The most common variety of BEC attack is the invoice or urgent payment required scam. In this scenario, bad actors pose as representatives of a company or government agency and tell the victim that an invoice must be paid immediately to avoid a negative consequence, like the interruption of their phone service. Usually, they ask for a wire transfer to a fraudulent bank account, but sometimes bad actors will request payment using a gift or money card.
- The FBI received many reports of COVID-19-related BEC invoice fraud targeting large healthcare organizations. Victims received messages claiming that a fake invoice must be paid immediately for the organization to get a shipment of much-needed medical supplies or vaccines. Victims were instructed to pay by wire transfer. Of course, no supplies ever reached those unfortunate healthcare providers.
- Both Facebook and Google fell victim to invoice scams perpetrated by the same cybercriminals that resulted in around $121 million in collective losses. Lithuanian national Evaldas Rimasauskas and associates formed a fake company that used the name of a real hardware supplier, “Quanta Computer.” The group then presented Facebook and Google with fraudulent invoices, which they promptly paid — straight into bank accounts controlled by the bad guys.
Learn the ins and outs of today’s wide variety of phishing attacks & how to stop them in Phishing 101. DOWNLOAD IT>>
Executive impersonation scams
Bad actors may pose as an executive at the victim’s company or another organization to entice the victim into downloading a malicious document, sending them money, providing them with sensitive information like financial data or helping them access restricted systems and data.
- At toy manufacturer Mattel, cybercriminals posing as executives of a Chinese company duped an executive into approving a $3 million offshore payment to their fake firm in China. The executive soon found out that the Chinese firm didn’t exist, and that they had transferred that money to cybercriminals.
- Pathé, a French cinema company, experienced a BEC attack in which cybercriminals impersonated the company’s CEO. Bad actors misrepresented themselves to the executives in the company’s Dutch division using an email address similar to the company’s legitimate domain pathe.com. The fraudsters convinced executives to transfer funds to a “new” (fraudulent) bank account to pay for the supposed takeover of a company in Dubai, ending in a loss of $21 million.
Looking for a security rockstar? Get 5 superstar benefits for half the cost of the competition! SEE THE BENEFITS>>
In a misrepresentation scenario, bad actors target employees in certain departments with the intent to trick them into providing sensitive information or payments. They may pose as government officials or even executives and colleagues within the target’s organization.
- The charity Save the Children lost $1 million to BEC. In that scam, the attacker managed to gain access to an employee’s email account, and then used it to send fake invoices and other documents to the charity’s accounting department claiming that the money was needed to pay for non-existent solar panels for a clinic in Pakistan. The accounting department didn’t suspect anything because the invoices came from a trusted address.
- In an incident at Snapchat, bad actors contacted a privileged employee in the company’s human resources department. By pretending to be the CEO requesting information for a routine business purpose, cybercriminals were able to trick the employee into sending them sensitive financial data, including payroll details for current and former employees. Technology giant Ubiquiti Networks fell victim to a BEC attack and suffered losses of $46 million in 2015 after fraudsters impersonating employees persuaded other employees in the finance department to send them money for legitimate sounding reasons.
Explore today’s biggest threats & what’s next in The State of Email Security 2022 GET IT>>
Gift card scams
Urgency is a hallmark of BEC gift card scams. Bad actors scare their victims, for example, by telling them that their company’s electricity will be cut off for non-payment unless they pay their bill by gift card immediately. The U.S. Federal Trade Commission provides several examples of gift card scam scenarios that they’ve encountered.
- The target receives an email purporting to be from a government agency, often the U.S. Internal Revenue Service or the Social Security Administration.
- They claim that the victim or the victim’s company must pay taxes or a fine and will face dire consequences if it isn’t paid immediately.
- A cybercriminal sends a message pretending to be from Apple or Microsoft tech support, saying there’s something wrong with the company’s systems or services and the victim must pay to have it fixed.
- In a common, scary gift card scam, bad actors falsely represent themselves as representatives of a utility like a power company, threatening to cut off service if the victim doesn’t pay immediately.
- Cybercriminals pretend to be customers who claim they’ve sent an incorrect payment and are owed money, sometimes threatening legal action if the “overpayment” isn’t returned quickly
See 10 reasons why Graphus is better than other email security solutions. SEE THE LIST>>
Credential or information fraud
A credential compromise BEC scam starts with bad actors asking the victim to provide credentials on the pretense that they’ve misplaced credentials they’d already been given or weren’t given the right ones to complete a task. Both variants lead to the same result — a bad actor tricks an employee into giving them access to systems, accounts and data that they shouldn’t have.
- Twitter fell victim to a BEC attack. In this incident, bad actors pretending to be repair contractors contacted Twitter employees. They convinced a Twitter employee that there had been a mix-up and they hadn’t received the right credentials to access a system that required repairs. After obtaining access credentials from the gullible employee, cybercriminals were able to take over accounts belonging to celebrities, including Donald Trump and Elon Musk, and use them for nefarious purposes.
- In February 2021, celebrated entrepreneur Obinwanne Okeke was sentenced to 10 years in prison for his involvement in a BEC scheme that resulted in at least $11 million in losses to his victims. Using phishing emails to secure the login credentials of business executives (including the CFO of British company Unatrac Holding), he had a direct conduit to a BEC attack.
Learn how incident response planning boosts cyber resilience & security. GET THE EBOOK>>
Graphus protects businesses from the danger of BEC
Graphus’ AI-powered email security is a powerful defense against BEC threats like these and other phishing-related attacks. Compared to built-in email protection or an SEG, automated, API-based email security solutions like Graphus prevent 40% more spear phishing messages from reaching an employee’s inbox. Here’s how:
- TrustGraph is a powerful shield between employee inboxes and malicious messages. This proprietary technology uses more than 50 distinct data points to discover up to 99% of sophisticated phishing messages, even zero-day attacks.
- EmployeeShield displays a bright, prominent box on suspicious messages, reminding them to be cautious. Employees can designate a message as genuine or malicious with a single click.
- Phish911 makes it simple for employees to report any message that they don’t think is safe. When an employee reports a potentially malicious email, the message is immediately removed from everyone’s inboxes.
- Simple deployment and effortless integration via API with Microsoft 365 and Google Workspace
- Half the price of the competition