Business Email Compromise (BEC) is growing fast Cyber security Threats faced by all businesses, especially small and medium-sized (SMB) businesses. The FBI’s Internet Crime Complaint Center (IC3) handled 19,369 Business Email Infringement (BEC) complaints in its 2020 Internet Crime Report with adjusted losses in the United States of more than $ 1.8 billion that year. I reported.
About the author
Christopher Budd is Global Senior Threat Communications Manager. Avast..
BEC attacks are mainly used Email, However, you can run it using SMS Messages, voice email messages, and even phone calls. BEC attacks are noteworthy because they rely heavily on so-called “social engineering” technology. That is, use tricks and deception against people.
BEC attacks are very effective and anyone, no matter how rich or sophisticated, can be the victim of an attack. In February 2020, Barbara Corcoran, an American businessman, investor and judge on the television entrepreneurial reality show Shark Tank, lost nearly $ 400,000 in a BEC scam. Fortunately, her swift action allowed her to get her money back. However, according to FBI statistics, not everyone is so lucky.
BEC attacks rely heavily on social engineering, so traditional Security Software does not always protect against them.It’s you and yours employee It plays a major role in protecting against them-and why is it important to understand what BEC attacks are and how they work.
How the BEC attack works
There are many ways BEC attacks can be deployed, but they are all summarized in simple formulas.Attacker tries to persuade employee Sending money to an attacker by impersonating someone whom the employee trusts.
Attackers often try to stack odds in two ways. First, they try to make their attacks believable by those they choose to disguise. Second, they create a sense of urgency so that the intended victim is less likely to question the transaction and less likely to follow the appropriate channel for payments that could catch fraud. I will try.
Attackers can skillfully combine these two tactics to make them most effective.
For example, one type of BEC attack we’ve seen requires employees to pay overdue invoices or correctly receive gift cards for urgent company events from the CEO or other senior executives. Includes receiving urgent messages. Away. These could be emails or text messages, but attackers could even use deepfake technology to mimic voicemail messages and calls. In 2019, an executive lost € 220,000 in such an attack when an attacker impersonated the CEO using deepfake technology.
In another type of BEC attack, an attacker uses a fake compromised email account to convince an employee that they are dealing with a legitimate vendor. An attacker could exchange multiple emails with the intended victim to convince the victim to be a genuine vendor and send a fake invoice. This is how the attack on Barbara Cocoran took place.
The third type of BEC attack targets corporate salaries. In these, an attacker attempts to impersonate an employee and force the company’s payroll staff to change the employee’s direct deposit information into their bank account. These attacks are more subtle and time consuming, but they are very effective.
In almost all cases, the goal of a BEC attacker is to make money by either wire transfer (including cryptocurrencies) or gift cards. It may be surprising to use gift cards for such attacks, but attackers have found it to be an easy way to transfer money and money launder.
How to protect from BEC attacks
BEC attacks are, in fact, old-fashioned fraudulent attacks that take advantage of current technology. This type of scam has been around long before email and voicemail appeared. These are not technology-based attacks, so technology-based solutions can respond to these attacks, for example. Ransomware.. For example, well-made BEC emails are difficult for security software to distinguish from legitimate emails. Especially if it was sent from a trusted person’s real (but compromised) account.
In short, protection from BEC attacks needs to focus on two things: you and your employees.
First, educate yourself and your employees about BEC attacks. When you suddenly receive an unexpected email from the CEO, you and your employees need to learn to be suspicious. A long way to prevent these attacks.
Next, review your payment request and emphasize the importance of following established rules regarding payment of invoices, modification of direct deposit information, and purchase and transmission of gift cards. For example, let employees know that they need to call the employee or vendor requesting payment. Make sure they know that you will use the number you have registered, and make sure your invoice or request is legitimate before doing anything else. Emphasize that even if it looks like a request from a high-level person in the company, employees need to confirm it. Attackers attempt to convince intended victims to keep these attacks secret in order to increase their chances of success. In such situations, make it clear that employees can and should ask questions.
Ultimately, the BEC attack succeeds because the attacker tricks the victim into believing in their deception. BEC attacks use technology, but in reality they are just a modern twist on old-fashioned scams and scams. Therefore, to thwart them, you need to adapt to the new ways these old scams work.
The good news is that with proper training, education, and proper policies and procedures, these attacks can be thwarted. Over time, whether these scams exist, how they work, and the proper way to handle payment requests, regardless of how they are delivered, yourself and your employees We need to educate our staff.