4 minute read
Protecting Your Company from Business Email Compromise (BEC) Attacks
Protecting Your Company from Business Email Compromise (BEC) Attacks
BY CHRISTOPHER BUDD
Advertisement
Business Email Compromise (BEC) is a fast-growing cybersecurity threat that all businesses, especially small and medium-sized (SMB) ones, face. The FBI’s Internet Crime Complaint Center (IC3) reported in their 2020 Internet Crime Report that they fielded 19,369 Business Email Compromise (BEC) complaints amounting to over $1.8 billion in adjusted losses in the United States for that year.
BEC attacks primarily use email, but can be carried out using SMS messages, voice mail messages, and even phone calls. BEC attacks are notable because they rely heavily on so-called “social engineering” techniques, meaning they use trickery and deception against people.
Because BEC attacks apply social engineering, traditional security software doesn’t always protect against them. That means you and your employees must understand what BEC attacks are and how they work.
How BEC Attacks Work
While there are many ways BEC attacks can unfold, they all boil down to a simple formula. An attacker tries to convince an employee to send money to the attackers by impersonating someone that the employee trusts.
Attackers often try to stack the odds in two ways. First, they try to make their attack believable by who they choose to impersonate. Second, they try to create a sense of urgency so that the intended victim is less likely to follow the proper transaction procedures that could catch the scam.
For example, one type of BEC attack involves an employee getting an urgent message from the CEO or other high-level executive requesting the employee to pay a past due invoice or get gift cards for a company event. These can be email or text messages, but one executive in 2019 lost €220,000 (approx. $243,000) to attackers who even used deep fake technology to impersonate his CEO.
In another type of BEC attack, the attackers use fake and compromised accounts to exchange several emails with the intended victim that convince her or him that they’re a legitimate vendor, and then send them a fake invoice.
A third type of BEC attack targets company payroll. In these, attackers impersonate employees to convince payroll staff to change employees’ direct deposit information to the attackers’ bank accounts. These attacks are more subtle and take more time but can be very effective.
In almost all cases, BEC attackers’ goal is to get money through electronic funds transfers (including cryptocurrency) or gift cards. While using gift cards for an attack like this might be surprising, attackers have found it’s an easy way to transfer and launder money.
How You Can Protect Against BEC Attacks
BEC attacks really are old-fashioned fraud attacks that happen to utilize current technology. Because these aren’t technology-based attacks, technologybased solutions won’t be as effective against them. A well-made BEC email, for example, is hard for security software to distinguish from a legitimate one, especially if it’s coming from the actual — but compromised — account of someone you trust.
This means that protecting against BEC attacks needs to focus on two things: you and your employees.
First, educate yourself and your employees about BEC attacks. You and your employees should learn to be suspicious when a sudden unexpected email comes from the CEO saying, “I need you to get $5,000 in gift cards for a birthday party today, send me the numbers, and don’t tell anyone about it.”
Second, reinforce the importance of following the established rules for paying bills, changing direct deposit information, and sending gift cards. For example, employees should call the number on file for an employee or vendor requesting payment to verify that the request is legitimate. Emphasize that even if requests seem to come from high-level people in your company, employees still need to verify.
Ultimately, BEC attacks succeed because attackers fool their victims into believing their deception. Because BEC attacks use technology, thwarting them requires adjusting to the new ways these old-fashioned frauds operate.
The good news is that with proper training, education, and following procedures, you can thwart these attacks. You just need to educate yourself and your employees that these scams exist, how they operate, and the proper way to handle payment requests.
Christopher Budd is the Senior Global Communications Threat Manager for Avast. For more information, visit the Avast website at avast.com/en-us/index or email Chris at christopher.budd@avast.com
