How Common is BEC?
According to the FBI's Internet Crimes Complaint Center (IC3) division, BEC crimes were the costliest cyber threat of 2020, with adjusted losses estimated at $1.8 billion overall. The Verizon Data Breach Investigations Report 2021 tells a similar story, slotting BEC as the second-riskiest data breach driver in 2020, riding the wave of rampant brand impersonation schemes, especially on social media.
Similarly, the Canadian Anti-Fraud Centre (CAFC) received reports of almost $30 million in 2020 BEC losses. The total for 2021 is estimated to be much higher, with over $26 million in losses reported during the first half of the calendar year alone.
The above statistics reinforce how prevalent and dangerous BEC attacks are to companies and the individuals who are tricked into giving up money, company information, and technology. The IC3 division recommends that company employees remain suspicious of email requests for secrecy or pressure to act quickly.
Security awareness training and continuous education are vital in reinforcing the importance of being cyber aware of emails and the inbox.
What Are The 5 Types Of BEC Scams?
There are five types of BEC scams that you need to be aware of:
How Does BEC Happen?
Because of the nature of the crime, a BEC attack requires a strategic and thorough approach.
1. The cyber criminal spends time researching the target company. The criminal uses publicly available information such as press releases, LinkedIn profiles, website content, and social media posts to collect the names and titles of key company personnel.
Some cyber criminals go so far as looking for travel plans, conference attendance details, company partners and investors, new product information, and basic facts about the company.
2. Using this information, the cyber criminal then either hacks the company email system using a phishing technique or spoofs an email account of a key employee.
3. Once inside the company, the cyber criminal uses this email access and the information they've collected about the company to send targeted, familiar, and urgent emails to employees who the criminal believes will respond accordingly.
4. Unsuspecting employees receive emails from the cyber criminal masquerading as a colleague, lawyer, or company partner requesting a payment, fund transfer, or confidential information.
5. Because the email address is familiar and the request is not out-of-the-ordinary, the innocent employee doesn't think twice and does precisely as the cyber criminal requests. Typically, the employee believes they’re acting in the company's best interest by paying an overdue invoice or transferring funds to a new company partner.
It's important to remember that BEC schemes rely on savvy social engineering techniques and the human element of trust.
Phishing simulations allow you to identify which employees are prone to BEC scams and phishing attacks, demonstrating how easy it is for cyber security attacks like BEC to happen.
How To Prevent BEC Attacks
To prevent BEC attacks, do the following:
Use proven security awareness training and phishing simulation platforms to keep employees' BEC and social engineering risks top of mind. Create internal cyber security heroes committed to keeping your organization cyber secure.
Remind your security leaders and cyber security heroes to regularly monitor employee BEC and phishing awareness with phishing simulation tools. Take advantage of BEC microlearning modules to educate, train, and change behavior.
Provide ongoing communication and campaigns about cyber security, BEC, and social engineering. This includes establishing strong password policies and reminding employees about the risks that can come in the format of emails, URLs, and attachments.
Establish network access rules that limit the use of personal devices and the sharing of information outside of your corporate network.
Ensure that all applications, operating systems, network tools, and internal software are up-to-date and secure. Install malware protection and anti-spam software.
Watch the following video about preventing BEC with security awareness and phishing simulations to understand how easy it is for anyone to become a victim of a BEC scam.
Phishing simulation is the best way to raise awareness of BEC risks and identify which employees are at risk for BEC scams and phishing.
BEC relies on phishing techniques to access the company email system and uses social engineering techniques to convince employees to act as requested.
Phishing simulation lets you easily incorporate cyber security awareness training into your organization in an interactive and informative format.
People see first-hand how personalized trustworthy emails are used to steal personal and corporate information. Real-time BEC and phishing simulations are ideal for any organization to educate people and increase alertness levels to BEC schemes and techniques.
How Can Phishing Simulations Help Prevent BEC?
Phishing simulations allow you to show employees in real-time how easy it is to fall victim to a BEC attack.
Using real-world examples and sophisticated phishing simulations, employees realize why it is essential to verify email addresses and to confirm requests for funds or confidential information before acting.
Phishing simulations give your organization these top 10 benefits in the defense against BEC scams and other cyber security threats:
1. Measure the degrees of corporate and employee vulnerability
2. Eliminate the cyber threat risk level
3. Increase user alertness to BEC and phishing risk
4. Instill a cyber security culture and create cyber security heroes
5. Change behavior to eliminate the automatic trust response
6. Deploy targeted anti-phishing solutions
7. Protect valuable corporate and personal data
8. Meet industry compliance obligations
9. Assess the impacts of cyber security awareness training
10. Segment BEC and phishing simulation
To learn more about BEC and how you can keep your organization cyber secure, take advantage of our free cyber security awareness resources: