Your CEO emails you directly and asks you to provide private company data. What do you do? What if they ask you to wire money? It could be legitimate—or it could be another instance of a scam that’s growing in popularity called Business Email Compromise (BEC).
According to the Federal Bureau of Investigation, BEC attacks increased 2,370% in 2016 and cost victims over $5 billion (USD). Trend Micro, a global leader in IT security, predicts that total losses will jump to $9 billion by the end of 2017. BEC is a simple-to-execute threat that can be avoided with some basic understanding and education.
What is BEC?
Business email compromise relies on deception, fraud and fear. Scammers impersonate high level executives or influencers and target official business email accounts with phishing emails, requests for wire transfers and more. Some common tactics are:
- Version 1: The Bogus Invoice Scheme Also referred to as “The Supplier Swindle” and “Invoice Modification Scheme,” this tactic typically involves a business that has an established relationship with a supplier. Fraudsters request wire funds for invoice payment to an alternate, fraudulent account.
- Version 2: CEO Fraud Scammers identify themselves as high-level executives (CFO, CEO, CTO, etc.), claiming to be managing confidential or time-sensitive matters, and ask for a wire transfer to an account they control. This scam is also known as “CEO Fraud,” “Business Executive Scam,” “Masquerading,” and “Financial Industry Wire Frauds.”
- Version 3: Account Compromise Similar to the two other versions, an email account of an employee is hacked and then used to make requests for invoice payments to fraudster-controlled bank accounts. Emails are sent to multiple vendors identified from the employee’s contact list. The business may not become aware of the scheme until their vendors follow up to check for the status of the invoice payment.
- Version 4: Attorney Impersonation Cybercriminals contact employees and/or high-ranking officials of companies, identify themselves as lawyers or legal representatives who are managing confidential or time-sensitive matters. Scammers then pressure the contacted parties into acting quickly or secretly in handling the transfer of funds or private data.
BEC scams employ social engineering and typically don’t need sophisticated system penetration. Unlike phishing scams, the emails used in BEC scams are not mass-emailed to avoid being flagged as spam. Urgency and fear play a big role as fraudsters instruct the victims to act quickly or in confidence when transferring funds, data, etc.
What’s the solution?
Education is critical. The more businesses learn about the kinds of tactics, the better prepared they are to recognize scams. Businesses should remind their employees to carefully evaluate all emails and be wary of irregular requests – especially from influential agents working for and with their company. Businesses can also confirm requests with phone verification as part of two-factor authentication using known and familiar numbers. Of course, a leading security solution helps, too.
Trend Micro products protect medium and large enterprise from this threat. Malware in BEC-related emails are blocked by the endpoint and email security capabilities of the Trend Micro Smart Protection Suites and Network Defense solutions.