BEC Scams - explanation, Examples and Prevention

What is this BEC Scams ?

Business email compromise, often known as BEC, is a sort of cybercrime email scam in which an attacker specifically targets a business in order to steal money from that firm. The breach of business email accounts is a widespread and rapidly expanding threat that affects companies of all sizes and in every sector all over the globe. The BEC fraud has put several enterprises at risk of suffering losses totaling in the billions of dollars.

Email account compromise (also known as email account takeover), sometimes known as EAC, is a similar danger that is becoming more prevalent in this age of cloud-based infrastructure. Due to the fact that hacked accounts are utilized in an increasing number of scams that are similar to BEC, EAC is often confused with BEC (though EAC is also the basis of other kinds of cyber attacks).

It may be challenging to identify and prevent BEC and EAC attacks, particularly when using older tools, point products, and native cloud platform protections.

Different Methods of Hacking into Business Emails

The FBI classifies business email compromise schemes into five primary categories, which are as follows:

CEO Fraud is a kind of business espionage in which the perpetrators pose as the company's chief executive officer (CEO) or another high-ranking official and send an email to a member of the company's finance department, asking for money to be sent to an account that the fraudsters control.

Compromise of an Account: An employee's email account is stolen and used to make payment requests to suppliers Compromise of an Account: After that, funds are sent over to bogus bank accounts that are held by the cybercriminal.

Schemes using falsified invoices are often used by attackers to target international vendors and providers. The con artist will pose as the business's supplier and ask for money to be sent to phony accounts while doing so.

Impersonation of a Lawyer or Other Legal Representative This kind of assault occurs when a criminal assumes the identity of a lawyer or other legal representative. Lower level workers are often the targets of these kinds of assaults since such employees typically lack the expertise necessary to evaluate the legitimacy of the request being made.

Theft of Data: These kinds of assaults often target HR staff in an effort to get personal or sensitive information about persons working for the firm, such as CEOs and executives. The information sought for includes names, social security numbers, and financial information. After then, the data might be used as a resource for future assaults such as CEO Fraud.

How exactly do BEC Attacks function?

The perpetrator of a business email compromise (BEC) fraud will often impersonate a trustworthy party, such as a coworker, supervisor, or vendor. The sender requests that the receiver perform a wire transfer, redirect payroll, update banking information for further payments, and other similar actions.

BEC assaults are difficult to detect since they do not employ malware or malicious URLs, both of which are able to be investigated by conventional forms of online protection. BEC assaults, on the other hand, depend on impersonation and other forms of social engineering to fool individuals into acting on the attacker's behalf when they engage with other people.

Manually researching and resolving these assaults may be challenging and time-consuming due to the targeted nature of the attacks and the use of social engineering.

Scams using BECs make use of a range of impersonation methods, including domain spoofing and lookalike domains, amongst others. These assaults are successful because the abuse of domains is a difficult issue to solve. It is difficult enough to prevent domain spoofing; attempting to anticipate every conceivable lookalike domain is much more difficult. And the complexity of this task only increases with each additional domain of an external partner that may be used in a BEC assault to take advantage of customers' confidence.

When using EAC, the attacker takes control of a valid email account, which then gives them the ability to execute a BEC-style assault. However, in many instances, the attacker is not only attempting to pass themselves off as someone else; rather, the attacker is, in all intents and purposes, that person.

Because BEC and EAC prey on human fallibility rather than technological weaknesses, they call for a defense that is centered on people and is able to avoid, detect, and react to a broad variety of BEC and EAC tactics.

PHASE 1 – Email List Targeting

The first thing the attackers do is compile a list of emails that are specifically targeted. Mining LinkedIn profiles, searching through email databases maintained by businesses, and simply browsing through a variety of websites in search of contact information are all common strategies.

Phase 2: Beginning the Attack

Sending out bulk emails is the first step that attackers take in launching their BEC operations. Spoofing, look-alike domains, and false email names are some of the techniques that attackers will use, making it impossible to determine whether or not they have hostile intentions at this point.

Phase -3 : Social Manipulation

At this point, the perpetrators of the assault will assume the identities of persons working for the target organization, such as the CEO or other members of the financial department. It's not uncommon to get emails that need an immediate reaction from the recipient.

PHASE 4 – Financial Gain

If the adversary is able to establish a relationship of trust with the target, the next step often involves either financial gain or a breach of confidential information.

Top BEC Scam Example

1. The $121 million BEC fraud involving Facebook and Google

To begin, let's take a look at the VEC assault on digital titans Facebook and Google that resulted in aggregate losses of over $121 million. This attack was the largest known BEC fraud in the history of the world.

The con was carried out between the years of 2013 and 2015, and the individual who was responsible for this BEC assault, Evaldas Rimasauskas, was given a jail term of five years in 2019.

How is it that some of the most tech-savvy workers in the world could have been fooled by such an intricate hoax?

Rimasauskas and his accomplices established a fictitious firm under the name "Quanta Computer," which is also the name of a legitimate provider of computer hardware. After that, the gang sent Facebook and Google what seemed to be legitimate invoices, which resulted in the companies making payments to bank accounts controlled by Rimasauskas.

In addition to bogus invoices, the con artists also fabricated phony attorneys' letters and contracts in order to guarantee that their banks would accept the wire transactions.

The swindle perpetrated by Rimasauskas should serve as a warning to all organizations. If two of the largest IT businesses in the world were able to lose millions of dollars due to BEC over the course of two years, then it is possible for any company to suffer the same fate.

2. Ubiquiti: $46.7m vendor fraud

Ubiquiti, a firm that specializes in information technology, said in a report that it had been submitted to the United States Securities and Exchange Commission in August 2015 that it had been the target of a "business fraud" totaling $46.7 million.

This particular assault was an illustration of a sort of BEC that is also referred to as Vendor Email Compromise (VEC). Ubiquiti's finance department was the victim of a fraud in which the con artists pretended to be workers at a separate firm.

We are still in the dark about the specifics of how the fraudsters were able to carry off this big scam. VEC attacks formerly focused on domain impersonation and email spoofing tactics, but these days, fraudsters are increasingly shifting to the more sophisticated account takeover strategy. VEC attacks traditionally relied on techniques such as domain impersonation and email spoofing techniques.

3. Toyota 2019: $37 million BEC assault

To get things started, here's a name that you may be familiar with: in 2019, the Toyota Boshoku Corporation in Japan was the victim of a BEC assault that cost $37 million. Because of the enormous scale of the corporation, hackers were able to convince an employee to transfer the quantity of money out of the European division before being discovered. This is despite the fact that 37 million dollars could seem like a frightening amount to you or I.

Critics argue that Toyota should have been on the watch for the scam since BEC is on the increase and this assault was the third one that Toyota had suffered that year up to that point.

As Toyota discovered the hard way, BEC assaults often take place in multiples, with one attack opening the door to many more as money, intellectual property, data, or identities are taken. BEC attacks are commonly carried out in multiples.

Prevention of BEC Scams

The possibility of social engineering assaults leading to data breaches may be significantly reduced by the implementation of security training, which can play a pivotal role in this regard. Employees have a responsibility to be aware of the strategies that are often used by cybercriminals and to exercise extreme care while receiving and transmitting information.

The following are some of the best practices recommended by Redscan for recognizing and preventing phishing attacks through email:

• Compare the sender addresses of questionable emails with those of people you know who can be trusted.
• Check for uncommon spelling problems as well as anomalies in the use of typeface, logo, and color.
• On mobile devices, you should exercise extreme care while reading condensed versions of email.
• Immediately change your passwords if you have any reason to believe that you may have been the victim of phishing. Conduct a phishing test on your organization to gauge the level of knowledge among your workforce.
• Identifying unexpected user behavior requires surveillance of both networks and individual endpoints.

You may like these posts