BEC stands for Business Email Compromise. This is a scam where bad actors target organizations via email to steal money, goods or information. With BEC attacks, emails look like they are from a legitimate source and are part of normal business, however, the sender is in fact an imposter.
BEC is a growing problem that targets businesses of all sizes, all industries, and happens all over the world. In the period June 2016 to July 2019, the FBI reports statistics of losses worldwide in the region of 26 billion dollars. And it’s not just small businesses that are victims – companies as large as Facebook, Google, and Toyota have famously been victims of this type of crime to the tune of tens of millions of dollars.
In these types of crimes, criminals leverage the fact that so much business is conducted via email, and employees often feel very pressured to respond quickly. The rapid rise of remote working due to the Covid-19 pandemic, where employees and customers interact very little in person, has made this even more prevalent.
In a BEC scenario, an employee (or another person) receives an email that looks like it is from a legitimate sender asking for something that appears to be normal business, to be actioned quickly. It could appear that the email is from a customer, a vendor, a colleague, or senior management. But in reality, the sender is a criminal seeking to divert funds to other accounts.
Let’s look at some examples of these requests:
The payroll department receives an email from an employee very close to payday, stating that they have changed their banking details and that their salary must be paid into the new account. Often this is accompanied by a fake bank letter or other fraudulent documentation. The payroll clerk does so, and the crime only comes to light when the real employee asks why they have not received their salary.
A vendor who a company regularly does business with sends an email to the finance department, also stating that their banking details have changed and that payments must be made into the new account. This may also be accompanied by fake documents. Again this will only be discovered when the real vendor enquires why they have not received payment.
An email is sent to the finance department from a senior manager, accompanied by an invoice for a vendor that must be paid immediately. There is no such real vendor and the mail is not from the manager. This is frequently unnoticed until statements are checked.
A senior manager sends an employee an email with instructions to purchase gift cards, ostensibly to be given to employees or customers as rewards. The ‘manager’ then asks for the serial numbers so that they can send the rewards personally. The scammer then redeems the gift cards themselves.
A purchaser of a high-value financed item, such as property, a vehicle, or capital equipment, is sent an email from what appears to be the financial provider, or legal representatives thereof, with instructions on where to wire deposits or payments. But the email is not from the real provider, and the unfortunate buyer has lost their money and possibly the goods due to non-payment.
An employee receives an automated workflow email that instructs them to perform an action such as make a payment, release goods or data, or even reset a password. The employee may receive many of these automated emails daily as part of their job and action them as routine, but this time it’s not from the real source.
These are just a few examples of the kinds of crimes that happen all the time. And it’s not just money that criminals are after – frequently they request data such as employee, customer, or vendor records, or even passwords. These fake data requests are even more insidious, as the victim company usually has no idea that they have supplied information to criminal elements. The criminals can use this data for all sorts of nefarious purposes, such as identity theft, account takeover fraud, and of course further perpetuating BEC scams.
So how do they do it?
There are many ways that BEC scammers can carry out their crimes. They first identify their intended targets and then research how best to attack and obtain their goals.
In order to impersonate a legitimate person, the criminal could use various means such as spoofing an email account or website. Spoofing means to make it look like the sender is in fact someone else at first glance. It’s actually not difficult to do this, and bulk email programs offer this as a standard practice. Another trick they could employ is to register a domain that is very similar to the name of the one they wish to impersonate. The domain usually only has such a minor difference from the real one that most people don’t notice unless they look very carefully. For example, firstname.lastname@example.org looks very similar to email@example.com.
Criminals frequently use malware that quietly sits in the background and allows criminals to gain access to emails and other data, which they then use to carry out their attacks.
How can businesses protect themselves against Business Email Compromise?
Training and awareness are a priority in curbing these types of crimes, along with implementing simple procedures. Here are a few tips for helping to prevent BEC:
- Make staff aware of the types of BEC scams and how they work
- Be careful with information shared on social media that could give clues to passwords, such as the names and birthdays of children and pets
- Don’t click on links in emails requesting that you update information
- Be wary of what you download and never open an attachment in an email from someone you do not know, and be wary of attachments forwarded to you
- Institute internal policies for risky processes, such as verifying change of banking details, payments to new vendors or data requests
- Use multifactor authentication on any account that offers it
- Utilize cyber security software, and keep it updated
- Encourage critical thinking
Crime is everywhere, and companies must do everything they can to maintain vigilance and minimize risk in all aspects of their business. At Baer’s Crest we partner with payment providers that make security a priority, giving our clients one less thing to worry about. Talk to us about secure payment solutions for your business