In today's interconnected world, the digital landscape has proven to be both a boon and a bane for businesses. While it offers unparalleled convenience, efficiency, and endless opportunities, it also brings with it a host of risks and vulnerabilities.
One such threat that has become increasingly prevalent is the Business Email Compromise (BEC) scam, which specifically targets business people. This insidious form of fraud leverages advanced social engineering tactics to deceive and manipulate unsuspecting individuals, resulting in significant financial losses and reputational damage. In this article, we will delve into the nuanced intricacies of BEC scams, scrutinize their modus operandi, and provide insightful analysis to help businesses defend themselves against this formidable menace.
BEC attackers seem to be targeting everyone. From charity organizations like Save the Children to big enterprises like Toyota, Google or Facebook. The Internet Complain Center (IC3) registered 241,206 domestic and international incidents from June 2016 to December 2021, which account for 43 billion dollars in losses. Those attacks have been reported in all USA states, and 177 countries (considering there are 195 recognized in the planet).
How Does a BEC scam work?
BEC, short for Business Email Compromise, is a clever little cyber-attack where an unauthorized individual sneaks into a business email account and uses it to trick and scam the organization, its employees, customers, or partners. These sneaky attackers often pretend to be someone important within the company, like a bigwig executive or a trusted vendor. They will go to great lengths to deceive the recipient into doing something they should not, such as transferring funds or sharing sensitive information.
BEC attacks often involve social engineering tactics, such as phishing emails, where the attacker masquerades as a legitimate entity and manipulates the victim into believing the email is genuine. The messages may contain urgent requests, financial implications, or other persuasive elements to increase the likelihood of compliance. These attacks are often sophisticated and well-crafted, leveraging careful research and understanding of the targeted organization to make the fraudulent emails seem plausible.
3 common types of BEC scams
According to the FBI, there are the 3 most common types of BEC scams:
In this type of scam, criminals impersonate high-level executives within a company and send emails to employees, requesting urgent wire transfers or sensitive information. The emails often appear to be legitimate, using the CEO's name and email address, as well as other company-specific details.
The goal of this scam is to trick employees into taking immediate action without questioning the legitimacy of the request. The criminals rely on the element of surprise and urgency to bypass normal checks and balances within a company. Once the transfer is made or the information is provided, it can be extremely difficult to recover the funds or mitigate the damage caused by the release of sensitive data.
These scams involve cybercriminals gaining unauthorized access to a company's email account and using it to deceive employees, customers, or business partners into transferring money or sensitive information. The consequences of falling victim to these scams can be devastating for businesses, resulting in financial loss, damage to reputation, and legal issues.
Check out this case study where we explain how a Miami Magazine fell victim to BEC when their billing email account was hacked. In this case study, discover why implementing Multi-Factor Authentication (MFA) for your business accounts is crucial to keep hackers at bay. MFA adds an extra layer of security to your email accounts, making it significantly harder for hackers to gain unauthorized access.
False invoice scam
In this scam, criminals send fraudulent emails pretending to be a trusted supplier or business partner. The emails typically contain a fake invoice or request for payment, often with a sense of urgency or a request for secrecy. Once the recipient receives the email, they may be tricked into paying the fraudulent invoice or disclosing sensitive information, such as bank account details. The scammers then use this information to steal money or commit further fraud. Want to know more about it? Read this article from IC3 what tactics are used for scammers to Facilitate the Acquisition of Commodities and Defrauding Vendors
Business Email Compromise Examples
Hedge fund in Manhattan loses 1.7 million in a BEC scam scheme
A Florida man, MUSTAPHA RAJI, was found guilty of participating in a $1.7 million business email compromise and money-laundering scheme that targeted a hedge fund in Manhattan. He was convicted on four counts and faces a maximum sentence of 70 years in prison. The case was investigated by the FBI and is being handled by the Complex Frauds and Cybercrime Unit of the Southern District of New York. Click here to read the full story.
A man in Florida loses 15k in a Real Estate Transaction
A man in Central Florida lost over $15,000 in a business email compromise scam while trying to purchase land. The scammers used a fake email address to trick him into wiring the down payment to the wrong account. This type of scam has become increasingly common and has resulted in billions of dollars being stolen globally. The Secret Service advises individuals involved in real estate transactions to verify the legitimacy of professionals involved to prevent such losses.
Collier County in South Florida scammed out of $184K on BEC attack
In December 2018, Collier County's funds were targeted in a Business Email Compromise scam, with money being fraudulently transferred to a bank account belonging to a contractor working for the county. Quality Enterprises USA, Inc., the impersonated contractor, urges its clients to be vigilant and follow up with phone calls for any unusual requests. The company believes that these attacks are not limited to Southwest Florida and are becoming more common nationwide.
A medical center in New York City loses patients data on a BEC attack
Village Care Rehabilitation and Nursing Center (VCRN), fell victim to a Business Email Compromise (BEC) attack, where an employee was tricked into providing patient information to an unauthorized actor. The attacker obtained data on 674 patients, including names, dates of birth, and medical insurance information. The center has notified affected patients and advised them to remain vigilant against identity theft and fraud.
How to prevent a BEC scam?
If you receive an email that you think might be a BEC scam, there are a few things you can do:
- Don't reply to the email. This will only confirm to the attacker that they have reached a valid email address.
- Check the sender's email address carefully. If it's not a legitimate email address, that's a red flag.
- Call the sender directly to verify the request. If you can't reach the sender by phone, that's another red flag. Also, make sure the phone number belongs to the sender, this info can be easily altered by scammers.
- Report the email to your IT department or to the FBI's Internet Crime Complaint Center (IC3).
BEC scams are a serious threat, but there are steps you can take to protect yourself. By being aware of the signs of a BEC scam and taking precautions, you can help to keep your organization safe.
Here are some additional tips to help you avoid BEC scams:
- Be suspicious of emails that ask for sensitive information. Never give out your personal or financial information unless you are absolutely sure that the request is legitimate.
- Use strong passwords and change them regularly. This will make it more difficult for attackers to gain access to your email account.
- Be careful about what information you share on social media. Attackers can use this information to target you with BEC scams.
- Keep your software up to date. Software updates often include security patches that can help to protect you from BEC scams.
- By following these tips, you can help to protect yourself from BEC scams and keep your organization safe.