Business email compromise (BEC) attacks are a type of cyberattack where criminals try to trick employees into making wire transfers or sharing sensitive data by impersonating senior executives or trusted business partners over email. These sophisticated scams are becoming more prevalent each year, causing major financial and data losses for organizations worldwide.
What is a Business Email Compromise Attack?
A business email compromise attack is a type of cyber scam where criminals gain access to a company’s email system, or spoof email addresses, in order to impersonate senior executives and request fraudulent wire transfers or sensitive data from employees.
The FBI reports that BEC attacks often start with phishing emails or malware that allows the criminals to infiltrate the company’s email system and study communication patterns. The criminals then use this insider knowledge to craft convincing fake emails impersonating executives and requesting time-sensitive wire transfers, sensitive data, or gift card purchases.
Employees often comply with these requests believing them to be legitimate orders from their superiors. But in reality, the funds or data are going straight to the criminals.
Staggering Financial Losses From BEC Attacks
According to the FBI, business email compromise scams have caused over $43 billion in losses worldwide between June 2016 and December 2021. That’s a staggering figure.
The losses per individual company can reach several million dollars per incident. For small and medium-sized businesses, these huge unrecoverable losses can be catastrophic enough to force them to shut down entirely.
Data Breaches and Reputational Damage
In addition to direct financial losses from fraudulent transfers, BEC attacks can also lead to:
-
Data breaches: Criminals may obtain access to customer and employee data like Social Security numbers, bank account details, passwords, and more.
-
Reputational damage: The news of a major BEC scandal can severely hurt an organization’s public image and customer trust.
BEC Attacks Across Every Industry
No company or industry is immune to business email compromise scams. The FBI reports that BEC attacks have impacted:
- Manufacturing
- Law firms
- Healthcare
- Real estate
- Retail
- Consumer goods
- And many more
Any company that performs regular wire transfers is vulnerable to these scams.
Tactics Used in Business Email Compromise Schemes
The criminals behind BEC scams are experts at social engineering and crafting convincing fake emails. Some of the common tactics include:
-
Spoofing – Creating fake email addresses that closely mimic real executives’ names and email addresses. Even one misplaced letter can go unnoticed.
-
Malware infections – Malware allows criminals to silently monitor the target company’s communications and processes.
-
Hacking – Directly breaking into employee email accounts through phishing, brute force attacks or stolen credentials.
-
Intercompany invoicing – Faking invoices from partner companies and vendors to get funds sent to criminal accounts.
-
Time sensitivity – Creating false urgency with claims like “Attached invoice needs paid today” to get employees to act quickly without scrutiny.
-
Seeming legitimacy – Reference real people, vendors, projects, and activities at the company to appear authentic.
Real-Life Examples of Costly BEC Attacks
Some notable examples of large BEC scams at major corporations demonstrate how damaging these attacks can be:
-
Facebook – In 2019, Facebook and its subsidiary Instagram got scammed out of $123 million in BEC schemes. The criminals impersonated real vendors and contractors doing business with the companies in order to divert large invoice payments to their own bank accounts.
-
Mattel – Toy company Mattel lost over $3 million in a BEC scam. Criminals posed as Mattel’s CEO to convince an employee to transfer funds for a fake acquisition project.
-
Ubiquiti Networks – A BEC scam caused this tech firm to make an unauthorized transfer of $39 million. Posing as an Ubiquiti executive, the criminals instructed an employee to wire funds to an overseas account.
As these examples demonstrate, even large sophisticated corporations are falling victim to BEC scams and losing millions.
How Can Organizations Defend Against BEC Threats?
Defending against ever-evolving BEC schemes requires a multi-layered approach including:
-
Cybersecurity training – Train employees to identify telltale signs of BEC scams like grammatical errors, time urgency, unexpected payment requests, and slight email variations. Conduct simulated phishing tests.
-
Multi-factor authentication – Require a second form of identity verification like biometrics or a one-time-password for any emails requesting financial transactions.
-
Vendor verification processes – Call the vendor directly on a known number to verbally confirm any payment change requests.
-
Analyze email patterns – Monitor for abnormal spikes in mail volume and origins. BEC attacks often start with malware email waves.
-
Limit user privileges – Only give employees access to systems and data necessary for their specific jobs to limit criminals’ ability to do damage through compromised accounts.
-
Email security filters – Implement security solutions to flag suspicious sender addresses and block malicious links and attachments.
The BEC Threat Continues Evolving
BEC criminals are always innovating new tactics and these scams are becoming more sophisticated each year. Organizations need to stay vigilant and regularly update their defenses to spot the latest schemes.
Comprehensive training, tech defenses, and fraud prevention processes are all essential for protecting companies against constantly morphing BEC attacks targeting their finances, data, and reputations. With proper precautions, companies can effectively guard against these predatory scams.
