According to a report by the Financial Crimes Enforcement Network (FinCEN) released in July, financial institutions have incurred more than $9 billion in losses due to Business Email Compromise (BEC) schemes since 2016. With such staggering losses, businesses and even individuals can’t afford to ignore BEC attacks.

What is BEC?

BEC fraud involves cyber thieves posing as company executives or a business contact with the intention to commit wire transfer fraud or obtain sensitive information. The main targets are businesses working with foreign suppliers or a business that carries out regular wire-transfer payments.

To carry out this attack, criminals might pretend to be the company CEO and request that a junior staff member perform a task for them, such as transferring funds. Attackers take advantage of the fact that most organizations don’t have a set procedure to verify instructions received from the top management.

How Attackers Collect Data from their Targets

Cyber criminals use various techniques to carry out BEC fraud, with the main aim of stealing funds from the victims. The techniques used include:

  • Imposter techniques – this can be carried out in various ways. Attackers use a look-alike domain, display-name deception and spoofed emails that appear to come from legitimate addresses.
  • Social engineering – when a target has not set appropriate privacy settings on social media accounts, an attacker can easily collect information that will make their requests sound legitimate.
  • Malware – this enables attackers to have access to sensitive information that makes the fake request sound legitimate.
  • Mining from the Dark Web – here attackers can obtain stolen credentials.

How to Avoid BEC Attacks

It is difficult for conventional security systems to detect BEC schemes. Consider a case in which a transaction is initiated willingly by a legitimate user in response to a request from a legitimate source. Such an email has no payloads such as malicious attachments that can be blocked.

Here are some methods to help reduce the possibility of these attacks:

  • Raising awareness of common attack scenarios or tactics used by the cyber criminals, such as a false domain name that looks almost like the original one, impersonation of a vendor, false sense of urgency or a request for secrecy.
  • Training employees on cyber security risks and implications.
  • Implementing email authentication protocols like Domain-Based Message  Authentication, Reporting and Conformance (DMARC) and email authentication, such as DomainKeys Identified Mail (DKIM).
  • Using layered defense, such as encryption, and virtual private networks.
  • Implementing a multifactor authentication that will introduce a secondary authorization control. This will help stop attackers even when they have access to the target’s credentials.
  • Establishing communication protocols that will allow for a follow-up. For instance, if the person is requesting financial transactions, an employee should call to ascertain the request.
  • Scrutinizing all emails that request for fund transfer.
  • Monitoring incoming email, especially those that use VIP names.
  • Optimizing accounting systems and controls.

Final Thoughts

Apart from taking precautionary measures, businesses also should make sure that their insurance specifically covers BEC attacks, as courts might have different interpretations of policies. Consider the case of Apache Corporation, which lost $7million due to a BEC attack. The judge ruled that since the money was sent to pay a legitimate invoice to the wrong bank, it was not covered by their insurance policy.

Note that a majority of these criminals are from countries that might not have strict laws on cybercrime, making it difficult to have them prosecuted.

So, whether you run a small, medium or large business, or even a personal account, it’s vital that you take precautionary measures against the increasing BEC schemes.


Disclaimer