Updated: The Art of the Steal: Business Email Compromise
Just when you thought it was safe to go back in the [email] water… Phishing gets serious. Of course, you should never let your guard down on phishing and spoofing, but there’s a bigger shark in the water now; one that impersonates important people within an organization. This new type of scam is referred to as Business Email Compromise, or “BEC.” These emails use similar tactics to phishing but are much more targeted, and directed at a specific individual or a small group or individuals. They prey on the fact most people will not question a company executive or a vendor making changes to their systems.
Let’s put ourselves in the shoes of a scammer. Where do you want to spend your time when you’re working? You’ll likely say, “On things that will produce the best value for the effort. Phishing a consumer might net a few hundred to a couple thousand dollars at a time. Why not look at a different target with much deeper pockets? In 2019, the FBI released a report stating “In 2019, the IC3 received 23,775 Business Email Compromise (BEC) / Email Account Compromise (EAC) complaints with adjusted losses of over $1.7 billion.”
There are several variations of BEC fraud to consider, but they all operate with similar tactics and targets:
- Someone poses as a company’s executive and instructs staff to make a wire transfer into the fraudulent account.
- Fraudster poses as an IT services department at a financial institution saying they want to make a test transfer, resulting in an actual transfer.
- Fraudsters claim to be a corporate supplier and ask for outstanding invoices to be paid into a different bank account than usual.
- Employees click on links within phishing emails containing malware, providing credentials to make transfers on their own.