If your boss asks you to do an emergency wire transfer so that they can make a last-minute purchase order, you’d be very compelled to do so. If the directive came from a C-level executive, the demand will be even more dire. However, if you’re able to temper your sense of urgency with caution, then you might just save your company from losing millions of dollars to what could be a business email compromise (BEC) attack.
What is a BEC attack?
A BEC attack is a cybercriminal’s attempt at fooling employees — typically those authorized to handle company funds — into transferring money to the attacker’s account. The cybercriminal is usually very convincing because they:
- Gain control and use the senior executive’s actual email OR use an email address that closely resembles the one the hacker is spoofing
- Commit weeks or months studying the senior executive’s communication style and habits
- Learn how to manipulate the company’s protocols for processes involving corporate funds
- Write a personalized and persuasive email depicting a plausibly urgent situation that requires an immediate response
To ensure that employees open the fraudulent emails, attackers usually use attention-grabbing subject lines such as:
- Request
- Follow up
- Urgent/Important
- Are you available?/Are you at your desk?
- Payment Status
- Purchase
- Invoice Due
- Direct Deposit
- Expenses
- Payroll
| Top 10 business email compromise subject lines by country, July 2018 – June 2019 | |
|---|---|
| Country | Subject line |
| Australia | PAYMENT |
| Belgium | RE: YOU ARE ENTITLED TO A LOWER ENERGY BILL IN 2018! |
| Canada | URGENT |
| France | PAYMENT DUE 8 DEC. |
| Germany | PAYMENT |
| Japan | YOUR RECEIPT FROM APPLE |
| Singapore | CONFIDENTIAL |
| Spain | NOTIFICATION OF PAYMENT RECEIVED |
| UK | IMPORTANT |
| US | IMPORTANT |
BEC as a tactic is evolving
BEC scams are becoming increasingly sophisticated. For one, cybercriminals now target various staff that handle company funds, such as payroll managers in the HR department or even CEOs themselves.
Secondly, beyond senior executives, they now also impersonate lawyers and contractors. For instance, the City of Burlington, Ontario, electronically transferred over half a million dollars to a bank account that they thought belonged to a long-time city vendor.
The scammer did not infiltrate the city’s IT infrastructure nor did they steal any personal Information. Instead, they sent a phishing email requesting that the city vendor’s banking information be changed,.
How to avoid being victimized by BEC attacks
When it comes to fighting scams that involve capitalizing on human weaknesses, training company stakeholders is vital to an effective cybersecurity strategy. It’s therefore not surprising that the steps for fending off BEC attacks involve humans more than hardware or software, as can be seen below:
- Keep email accounts secure – Email is a key component in this scam, so securing company emails with stronger passwords, multifactor authentication, and email filtering software is crucial. Strongly urge your contractors and other third parties to implement more stringent email security as well.
- Double-check the sender’s email address – Teach employees that scammers don’t need to hijack a valid email account; the latter can create one that’s just a character away from the real thing. If an email sounds urgent and involves large amounts of money, it pays to check the spelling of the sender’s email address.
- Prevent sender fraud – Mitigate human error by using advanced email authentication standards to catch fraudulent email addresses. Top standards include SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance).
- Implement robust checks and controls – Even if an email comes from a valid address, you must have stringent verification protocols in place so that you can be sure that communications are not instigated by scammers. For instance, in the Cabarrus County example above, county officials could have arranged face-to-face meetings with Branch and Associates to check against fraud.
- Invest in periodic employee awareness training – So much of defending against these attacks is simply being able to spot the warning signs. Short, periodic online awareness training and testing for all employees has the potential to save your organization huge amounts of cash and headaches. Look for training solutions that are scenario-driven using language that is non-technical and easy-to-understand for all employee levels.
Turn to XBASE Technologies Corporation to help you defend against BEC attacks and other cyberthreats. Talk to our specialists to learn more about our Exponentially Better™ cybersecurity services today.