A few months back, FBI released a report stating that Business Email Compromise or rather BEC scams usually cost businesses around $3.1 billion. In addition to that, FBI also warned organizations regarding “Man-in-the-Email” and “CEO Fraud”; some of the better-known version of the conventional Business Email Compromise. These scams target businesses regardless of their size and according to surveys; there has already been a staggering 1300 percent growth in the number of BEC attacks, January 2015 onwards.
Understanding BEC Attacks
Put simply; Business Email Compromise is a type of phishing attack where cyber criminals show up as company executives and try to convince the customers, employees or vendors into transferring sensitive information and associated funds. BEC attacks are probably the most focused form of phishing where the cyber attackers research the landscape by looking at the social profiles of the targeted employees. Looking closely at the employees, vendors and non-suspecting customers allow cyber criminals to draft highly targeted emails. These emails can easily slip through the spam filters, therefore evading the whitelisting campaigns with seamless ease. This way, most employees fail to detect the threats embedded within and more often than not, the purpose of organizational safety is defeated.
Nature of BEC Scams
Every Business Email Compromise attack starts off with the cybercriminal phishing a company executive, precisely for gaining access to the concerned inbox or for validating the unofficial interests. Once the targeted company is tricked into believing the legitimacy of the email via a technique called ‘Spoofing’— any one of the five forms of BEC attack is launched against the same.
1. CEO Fraud
This form of attack involves hacking the email address of the company CEO and then emails are sent over to the employees, with wire transfer guidelines and other requirements which only a CEO can assign. This phishing approach includes emergency notes for vindicating the sudden wire transfers. Most attackers inject a sense of urgency for avoiding cross verifications.
2. Bogus Invoice
In the given scenario, the attacker invades the email address of the company executive, looks for a pending invoice and redirects the payment to an account that is owned by the former.
3. Attorney Impersonation
This form of BEC scam aims at compromising the legal department of the targeted company, thereby requesting large funds from the finance department for settling overdue payments and legal disputes.
4. Data Theft
This form of BEC scam doesn’t involve direct monetary gains and aims at stealing confidential data sets from the executive’s email address. The phishing approach for gaining unauthorized access remains the same with the CEO or a board member sending an email to the HR or finance suddenly requesting sensitive documents and other confidential details.
5. Account Compromise
This form of BEC scam usually works when the targeted company is preferably an SME with a smaller user base. In the existing scenario, the cybercriminal hacks into the email account of an employee and then sends emails to the existing customer base regarding a change in the payment account. The new account, secretly handled by the attacker, is forwarded to the customers and more often than not, the payments are made to the latter.
How Seqrite Keeps BEC Attacks at Bay?
Most of these attacks can be detected well in advance, via typosquat domains. Cyber security experts like Seqrite can help companies stay immune against the BEC scams by offering innovative features. Seqrite’s email security feature focuses on data safety and protection providing a granular approach towards controlling suspicious messages. In addition to that, data protection plans can also identify the nature of emails coming from ‘Internet-facing’ email gateways, even if they are forwarded from the CEO’s email account.
Data loss prevention solution from Seqrite helps combat the BEC data thefts by integrating the safety modules with the email marketing plans. There is a policy based encryption service at the helm, ensuring that the compromised information is always encrypted and the wrong person cannot access the same.
Digital signatures can validate the authenticity of an email. Therefore, it is important that the recipients look for these entities while addressing and processing the emails. Seqrite also offers end-user awareness and training to employees for staying vigilant against these phishing attacks. Some of the focused areas, when it comes to spreading awareness, include two-factor authentication during wire transfers and spoof checks.
Business Email Compromise is a serious issue that needs to be dealt with urgency. However, with security service providers like Seqrite on-board, it becomes easier for organizations to keep their email enclosures safe and sound.