Is your email at risk? The truth about Business Email Compromise
Recently, INTERPOL, along with enforcement authorities in Timor Leste, intercepted a massive $40 million business email compromise scam in Singapore.
The scam involved a Singapore-based firm that paid a scammer posing as a fake supplier around $49.3 million. The firm reported it to the police, and the authorities from Timor Leste and INTERPOL used their global stop-payment mechanism
Not many are as fortunate as the Singaporean firm. In many cases cybercriminals leverage compromised credentials
Let us explore what Business Email Compromise attacks are, some real-world examples of BEC attacks, and some ways to prevent and respond to them.
What are Business Email Compromise (BEC) Attacks?
Business email compromise attacks are purely social engineering-based attacks
What makes BEC attacks different and more dangerous than other types of social engineering-based phishing attacks
Since they are often purely text-based, without any malicious attachments, they easily pass through email security scanners that automatically detect malicious attachments.
Here are some common signs of BEC attacks:
Urgency – all the BEC-specific emails have a sense of urgency, requesting a transfer of money
Genuine - Emails sent in BEC attacks are low in volume and often from an IP and domain address that is trusted, passing the blocked list of malicious addresses.
Out of reach – the sender, despite a sense of urgency, will be out of reach
Secretive – there will be a request to keep information regarding the transfer of funds a secret
Syntax errors– there will be grammar, spelling, and other language errors in BEC-specific emails
Fishy context – the context of requesting funds will be different from the usual
Some interesting facts about BEC attacks
Recommended by LinkedIn
Some Real-world examples of BEC attacks
The FBI groups Business Email Compromise attacks into five common types, mainly – Data Theft, Email Account Compromise, Attorney Impersonation, Whaling, and False Invoice Scam.
Here are some examples of BEC attacks
- Data Theft
It is a BEC attack where cybercriminals extract sensitive personal and financial information from their targets. For example, they may target Human Resources sending mail to them requesting information on other employees and further orchestrate sphere phishing attacks based on the stolen information.
- False Invoice scam
It is one of the most common BEC attacks where a cybercriminal pretends to be a third-party supplier or a vendor to a business and requests for a pending payment.
- Overpayment scam
They may send an invoice requesting to pay back the funds that they have paid accidentally that exceed the invoice amount.
- Email account compromise
Cybercriminals mine their target’s mailing list in search of vendors, suppliers, etc., and mail them requesting payment to fake vendors.
- Whaling
It is the kind of BEC attack where the cybercriminal poses as a CEO/CFO or any other top-level executive requesting an urgent transfer of funds.
- Attorney Impersonation
Scammers target CEOs and other top-level executives, pretending to be from the legal team, requesting payment for litigation or legal proceedings.
The rise of business email compromise attacks reflects that there is a widespread gap in awareness, especially on this kind of pure social engineering-based attacks. Organizations must ensure measures to address awareness gaps for each department, especially those at the top and executive level authorized to take high-level decisions and actions like wiring funds.