BEC Scams - explanation, Examples and Prevention
What is this BEC Scams ?
Business email compromise, often known as BEC, is a sort of cybercrime email scam in which an attacker specifically targets a business in order to steal money from that firm. The breach of business email accounts is a widespread and rapidly expanding threat that affects companies of all sizes and in every sector all over the globe. The BEC fraud has put several enterprises at risk of suffering losses totaling in the billions of dollars.
Email account compromise (also known as email account takeover), sometimes known as EAC, is a similar danger that is becoming more prevalent in this age of cloud-based infrastructure. Due to the fact that hacked accounts are utilized in an increasing number of scams that are similar to BEC, EAC is often confused with BEC (though EAC is also the basis of other kinds of cyber attacks).
It may be challenging to identify and prevent BEC and EAC attacks, particularly when using older tools, point products, and native cloud platform protections.
Different Methods of Hacking into Business Emails
The FBI classifies business email compromise schemes into five primary categories, which are as follows:
CEO Fraud is a kind of business espionage in which the perpetrators pose as the company's chief executive officer (CEO) or another high-ranking official and send an email to a member of the company's finance department, asking for money to be sent to an account that the fraudsters control.
Compromise of an Account: An employee's email account is stolen and used to make payment requests to suppliers Compromise of an Account: After that, funds are sent over to bogus bank accounts that are held by the cybercriminal.
Schemes using falsified invoices are often used by attackers to target international vendors and providers. The con artist will pose as the business's supplier and ask for money to be sent to phony accounts while doing so.
Impersonation of a Lawyer or Other Legal Representative This kind of assault occurs when a criminal assumes the identity of a lawyer or other legal representative. Lower level workers are often the targets of these kinds of assaults since such employees typically lack the expertise necessary to evaluate the legitimacy of the request being made.
Theft of Data: These kinds of assaults often target HR staff in an effort to get personal or sensitive information about persons working for the firm, such as CEOs and executives. The information sought for includes names, social security numbers, and financial information. After then, the data might be used as a resource for future assaults such as CEO Fraud.
How exactly do BEC Attacks function?
The perpetrator of a business email compromise (BEC) fraud will often impersonate a trustworthy party, such as a coworker, supervisor, or vendor. The sender requests that the receiver perform a wire transfer, redirect payroll, update banking information for further payments, and other similar actions.
BEC assaults are difficult to detect since they do not employ malware or malicious URLs, both of which are able to be investigated by conventional forms of online protection. BEC assaults, on the other hand, depend on impersonation and other forms of social engineering to fool individuals into acting on the attacker's behalf when they engage with other people.
Manually researching and resolving these assaults may be challenging and time-consuming due to the targeted nature of the attacks and the use of social engineering.
Scams using BECs make use of a range of impersonation methods, including domain spoofing and lookalike domains, amongst others. These assaults are successful because the abuse of domains is a difficult issue to solve. It is difficult enough to prevent domain spoofing; attempting to anticipate every conceivable lookalike domain is much more difficult. And the complexity of this task only increases with each additional domain of an external partner that may be used in a BEC assault to take advantage of customers' confidence.
When using EAC, the attacker takes control of a valid email account, which then gives them the ability to execute a BEC-style assault. However, in many instances, the attacker is not only attempting to pass themselves off as someone else; rather, the attacker is, in all intents and purposes, that person.
Because BEC and EAC prey on human fallibility rather than technological weaknesses, they call for a defense that is centered on people and is able to avoid, detect, and react to a broad variety of BEC and EAC tactics.
PHASE 1 – Email List Targeting
The first thing the attackers do is compile a list of emails that are specifically targeted. Mining LinkedIn profiles, searching through email databases maintained by businesses, and simply browsing through a variety of websites in search of contact information are all common strategies.
Phase 2: Beginning the Attack
Sending out bulk emails is the first step that attackers take in launching their BEC operations. Spoofing, look-alike domains, and false email names are some of the techniques that attackers will use, making it impossible to determine whether or not they have hostile intentions at this point.
Phase -3 : Social Manipulation
At this point, the perpetrators of the assault will assume the identities of persons working for the target organization, such as the CEO or other members of the financial department. It's not uncommon to get emails that need an immediate reaction from the recipient.
PHASE 4 – Financial Gain
If the adversary is able to establish a relationship of trust with the target, the next step often involves either financial gain or a breach of confidential information.
Top BEC Scam Example
1. The $121 million BEC fraud involving Facebook and Google
2. Ubiquiti: $46.7m vendor fraud
3. Toyota 2019: $37 million BEC assault
Prevention of BEC Scams
- Compare the sender addresses of questionable emails with those of people you know who can be trusted.
- Check for uncommon spelling problems as well as anomalies in the use of typeface, logo, and color.
- On mobile devices, you should exercise extreme care while reading condensed versions of email.
- Immediately change your passwords if you have any reason to believe that you may have been the victim of phishing. Conduct a phishing test on your organization to gauge the level of knowledge among your workforce.
- Identifying unexpected user behavior requires surveillance of both networks and individual endpoints.