Last year, the FBI Internet Crime Complaint Center (IC3) reported a total exposure loss of $12.5 billion dollars to BEC? So what is BEC and why is it so dangerous to you and your business? BEC stands for Business Email Compromise, a new form of phishing scam that specifically targets managers, employees, and even clients. This new Internet-based financial scam is more nefarious than your regular phishing email scam.

The Scenario

You receive an email from your supervisor or your boss. The subject line reads: “Are you at the office?”. It sounds innocent. After a few email exchanges, the sender asks you to click on a link, edit a file, send out a gift card, or send some sensitive information to a colleague or an email address.

How it works?

Most phishing emails are designed to get a response from their victims to collect the information they need to make the scam work. Most BEC’s do not make the malicious request up front but instead, scammers engage their victims in conversation with a few email exchanges before they make the malicious request. Unlike other phishing scams, BECs are interactive phishing attacks because the victim has an interactive dialogue with the actual attacker. The attacker hopes that the back-and-forth exchange would lower the victim’s guard and allow him to make the malicious request after four or five emails.

Why is it so dangerous?

Unlike your regular phishing scam, BECs are whaler phishing attacks that target organizations and their managers because they have the most funds and resources. BECs are designed to steal both your business’ money and valuable information. In many cases, a BEC attack is designed to target an employee who has authorization to send wire transfers. A BEC could also be designed to collect sensitive or valuable data from the company. In today’s business world, data has become a valuable company resource so, in some cases, data theft could become the motive for a phishing attack. Data theft normally collect sensitive corporate financial documents, W-2s, and client or user data.

Worst BEC Incidents

While many attackers target large corporations, small- and medium-sized businesses are not exempt from phishing attacks. Early last year, 144 universities across the U.S.  and 47 private organizations were victims of a spear phishing scam that targeted professors and managers. Although no wire transfers were made or requested, the attackers got away with $3 billion worth of intellectual property and they hacked over 100,000 accounts stealing about 8,000 credentials. In 2017, a Lithuanian hacker was caught after receiving wire transfers from Google and Facebook amounting to over $100 million. He gained access to Quanta Computer emails and used this to spoof Google, Facebook, and Apple.

Phishing attack statistics

It is important to know that phishing attacks on businesses and organizations are on the rise. Since 2017, there was an increase in phishing attacks by 65% and an increase of 76% for BECs. According to Verizon, 30% of phishing messages were opened and 12% of the links or attachments were opened as well. It gets worse, the SANS institute reports that the BEC spear phishing success is 95%. After a data breach related to phishing, companies report about that 30% of customers close their accounts or switch to the competitors.

What can you do to stop BEC and phishing?

The overall solution sounds simple: don’t send money for an unusual request, don’t click a suspicious link or don’t open a suspicious looking file. However, BECs have been successful because scammers are deceptive, manipulative, and convincing so protecting your organization from BECs require a few proactive security steps and measures.

  • Increase awareness of new phishing techniques through your organization’s email user policy. Let employees know what a Business Email Compromise attack is and who its main targets are and how the scam normally goes.
  • Improve email security by using tough-to-crack passwords. Employees should be encouraged to use difficult passwords for their business email accounts. More importantly, enable two-step verification to make work emails safer.
  • Set a funds sending protocol for employees who handle funds and transfers. One of the most low-tech solutions is channel switching where requests via email are directed to another communications platform such as Slack or phone to continue the conversation. More importantly, set-up a transfer verification procedure that requires your employee to ask his or her superior before making any unscheduled payments.
  • Use high-tech cybersecurity software using AI and ML technology that analyzes emails to track suspicious behavioral cues and email intentions to detect a phishing threat.