Business email compromise (BEC) is an advanced email scam that typically targets employees of companies who regularly transfer funds, manage payroll, or corporate payments.
Using compromised or spoofed email accounts, cybercriminals trick email recipients into updating account information, providing confidential company information, sending money, or sharing company innovations and technology.
Relying on social engineering tactics and advanced background research, cybercriminals send targeted emails using urgent, strategic, and familiar language to win the trust of the email recipient. Often the email looks legitimate because the criminal has compromised the account of the employee’s manager, CEO, or company partner/supplier – making it very hard to easily identify a BEC scam.
The recent arrest of 281 people connected with Operation reWired, an international coordinated effort to crack down on BEC attacks, underscores why all companies must be aware of and alert to the real risks of cybercrimes.
How Common are BEC Scams?
The FBI and Internet Crime Complaint Center (IC3), reported on September 10, 2019 that BEC is a $26 billion scam. The FBI reported that between June 2016 and July 2019 there were over 166,000 domestic and international reports of BEC attacks.
That same day, the Department of Justice revealed that 281 people were arrested and $3.7 million was seized in an international BEC crack-down called Operation reWired:
- Four-month long coordinated effort.
- Included officials from the U.S. Department of Justice, U.S. Department of Homeland Security, U.S. Department of Treasury, U.S. Postal Inspection Service, and the U.S. Department of State.
- Arrests made in United States, Nigeria, Turkey, Ghana, France, Italy, Japan, Kenya, Malaysia, and the United Kingdom.
“In unravelling this complex, nationwide identity theft and tax fraud scheme, we discovered that the conspirators stole more than 250,000 identities and filed more than 10,000 fraudulent tax returns, attempting to receive more than $91 million in refunds,” said Chief Don Fort of IRS Criminal Investigation.” (Department of Justice press release)
BEC scams are not limited to a narrow sector of the business world. As these arrests, the recent FBI data, and other investigations reveal, cybercriminals target a wide range of companies and individuals:
- Employees who regularly work with foreign suppliers and companies
- Businesses that regularly send wire and electronic funds transfers
- Human resources and payroll departments
- The elderly and people who have made recent real estate purchases
In its press release, the FBI emphasized that the best way for companies to remain protected from BEC scams is to educate employees with preventative training that shows employees how easy it is become a victim of a cybercrime.
It’s important to remember that BEC scams know no boundaries. The size of your business, where you operate, or how many employees you have has zero bearing on your risk level for a BEC attack.
Real-World Examples of BEC Scams
Consider these three very different real-world examples of BEC scams:
1. Toyota Boshoku Corporation
In early September, this major Toyota parts supplier reported that the company was the victim of $37 million BEC scam. Cybercriminals convinced a Toyota Boshoku Corporation employee who has financial authority to change the account details for an electronics fund transfer. The ramifications of this attack go beyond the dollar loss, forcing the company to readjust its March 2020 financial numbers.
2. Scoular Corporation
This Omaha-based commodities trading firm was the victim of an advanced BEC attack that involved a spear phishing wire fraud scam. Cybercriminals targeted a key employee with an email that appeared to come from the CEO, asking him to wire money to secure the acquisition of a company in China.
The email looked legitimate and used convincing language to trick the employee into thinking he was helping the company and CEO. The BEC scam was reported to the FBI who initially linked the money to an account at the Shanghai Pudong Bank, however the account was closed, and the money was moved. The spear phishing email used to start this BEC attack was created in Germany and the domain name (kgpmg-office.com) was hosted on a server in Russia.
3. North Carolina county of Cabarrus
The county of Cabarrus paid $2,504,601 to a BEC cybercriminal who posed as contractor working on a school construction project for the Cabarrus County Schools District. Through advanced research and targeted spear phishing, a cybercriminal collected enough information to pose as a legitimate contractor, Branch and Associates, working on the project.
A county employee received an email that looked like it came from Branch and Associates, asking the employee to update their bank information. The cybercriminal went so far as to include attached documents for the employee to update – these documents, including signed approvals were spoofed versions of legitimate Branch and Associates documents. The BEC scam and stolen money was only discovered when Branch and Associates contacted the county regarding a missed payment.
As these three examples of BEC scams illustrate, anyone can be a victim of a BEC attack.
Phishing simulation is an important exercise that lets you see first-hand how easy it is to be tricked by a phishing email that can eventually lead to a sophisticated BEC attack. Find out if your users are at risk of being phished.
How To Protect Against BEC Scams
To protect against BEC scams, you need to develop and support a company-wide cyber security aware culture focused on changing human behavior.
BEC scams work because cybercriminals use sophisticated social engineering tactics to win the trust of targeted individuals who are then convinced that they’re acting in their or the company’s best interest by complying with the email request.
These criminals also know that fewer and fewer people pay close attention to domain names, URLs, email addresses, and tend to overlook spelling errors.
To protect against BEC scams, you need to:
STEP 1 – Educate
Use security awareness training and BEC microlearning modules to educate, train, and change behavior.
STEP 2 – Monitor
Use phishing simulation tools to monitor employee knowledge and to identify who is at risk for a cyber attack.
STEP 3 – Communicate
Provide ongoing communications and campaigns about BEC, social engineering, and cyber security.
STEP 4 – Incorporate
Make cyber security awareness campaigns, training, support, education, and project management part of your corporate culture.
How aware are your employees of the threats that come through the inbox? Do your employees understand the real risks of phishing, spear phishing, and social engineering?
Phishing simulation must be part of your comprehensive security awareness training program. Ask for your free phishing simulation trial today to gain insight into how you can build a cyber security aware culture. The first step in protecting your company and employees from BEC scams and other cyber attacks is in knowing your risk level.