Business Email Compromise (BEC) or 'Man-in-the-Email' scam continues to provide an easy way to cyber criminals to inflict losses running into billions of dollars annually. According to the latest Internet Crime Report released by the Federal Bureau of Investigation (FBI), BEC caused business losses amounting to about $1.3 billion in 2018—double the losses suffered the previous year.
BEC also known as CEO scam is a popular method cyber criminals employ to defraud businesses that primarily deal in wire transfers. They harvest email accounts of senior executives either through publicly available records or key-loggers and use them to orchestrate fraudulent money transfers. Over the years, the scam has evolved with cyber criminals using social engineering to pose as CEO of a company to fraudulently transfer funds.
The most common types of Business Email Compromise scams include:
- Account Takeover: Cyber criminals break-in to genuine email accounts of employees and/or executives and use them to send invoices to the vendors listed in their contacts lists. The invoices carry details of fraudulent accounts that are used to receive the payments and escape.
- Fake Invoices: Cyber criminals pose as suppliers and send fake invoices requesting transfer of funds to an account they control.
- Data Theft: This type of attack is specifically targeted at Human Resources or Tax and Accounting departments with an aim to steal personally identifiable information and tax statements of employees. These details provide the basis for future attacks.
- CEO Fraud: Cyber criminals impersonate the CEO or any senior-level executives with relevant powers to authorize wire transfers. Criminals use social engineering to 'instruct' executives into transferring funds into an account they control on the pretext of an emergency need of funds.
- Pretend as Attorney: Cyber criminals pose as lawyers from a law firm that handles the confidential matters of the company in order to gain sensitive information about the company.
Easy and profitable
What makes BEC so wide-spread is that the emails do not come with malicious attachments that may otherwise be filtered at the servers itself. Since these are generally text-based emails, duping unsuspecting employees is easier. Cyber criminals word the content of the email carefully such that it looks genuine. These emails are therefore, able to bypass the security solutions and employees too are not that wary of opening them. Another reason BEC is a popular fraud tactic among cyber criminals is that it reaps enormous profits with relatively low investments.
On the part of the businesses, insufficient security apparatus, falling prey to social engineering, and lack of employee training/awareness continue to fuel the BEC scam.
The article has been written by Neetu Katyal, Content and Marketing Consultant
She can be reached on LinkedIn.