Cyber thieves are increasingly setting their sights on new targets within businesses: C-suite executives and other high-profile employees.
Business email compromise (BEC) is a growing social engineering threat in which digital predators impersonate business executives or trusted partners to trick individuals into sending money or providing sensitive account or business information.
There are lots of different variations of this kind of phishing attack. But the end result is the same: financial losses that could cause significant, even catastrophic, damage to businesses of all sizes.
BEC scams have resulted in an estimated $55.5 billion in collective losses over the last decade, with the global problem expected to only grow, according to the FBI’s Internet Crime Complaint Center (IC3).
In 2023, about 21,500 BEC scams resulted in more than $2.9 billion in adjusted business losses, making it the second-costliest type of crime behind investment schemes, according to IC3.
According to research from Nationwide Insurance, 22 percent of small businesses and 14 percent of middle market businesses have fallen prey to a BEC scam.
After reading this article, you will have a complete understanding of what business email compromise is. You'll also learn the steps you can take to avoid falling victim to this growing cyber threat.
Business email compromise is a high-stakes, digital game of cat and mouse. It is more cunning and sophisticated than many other kinds of cyber attacks because it involves carefully grooming victims over time to develop implicit trust.
BEC is a multi-layered scam using several different tactics to trick an executive or other employee to send money or share sensitive information.
Related Article: Why Employee Security Awareness Training Helps Prevent Cyber Incidents
Cyber criminals start by identifying their potential victim within a business—usually someone with access to financial accounts.
Then, they take a deep dive into the target’s digital footprint, scouring social media and online resources like LinkedIn, Facebook, Instagram, and Google to learn more about the individual and the organization.
Cybercriminals often use spoofed emails to launch a malware attack to gain entry into your IT systems. The goal is to get the victim to click a malicious link or download an infected file to allow hackers to steal the person’s usernames and passwords to gain unauthorized access.
Once inside, these adversaries can launch an undetected malware attack to study an employee’s email communications and habits and gather inside information.
Hackers use the information they’ve gathered online and within your IT network as the basis for a ruse to initiate contact through a spear-phishing email or phone call that disguises the hacker’s true identity.
At this point, the attackers, confident in the trust level they have developed, ask the targeted individual to take some action, such as transfer a large sum of money from a regularly used account into a new account, reveal sensitive customer or employee information, or share proprietary business data.
Related Article: Personally Identifiable Information: 10 Steps To Ensure Data Privacy
The targeted employee doesn’t second-guess the request because they believe it’s coming from a legitimate business source——a supplier, partner, supervisor, or senior-level company official. In fact, business executives themselves can become BEC targets.
The cybercriminal may then follow up with additional emails or phone calls from the impersonated account to create a sense of urgency to pressure the employee to take immediate action without verifying the funds transfer request.
BEC scams will often begin with a malicious email asking the employee to confirm financial account or personal information.
If they haven’t yet gained access to your internal IT systems, hackers may use a backdoor workaround by using a fake email that is a close, but not exact, match to an executive’s real email address.
Fake emails from cyber criminals may contain misspellings, poor grammar or sentence structure, or formatting issues.
Without a specific contact name, hackers often use generic greetings such as “Dear User” or “Dear Valued Customer.”
Harmful links inserted into these fake emails can give hackers an opening into your IT network.
The fraudulent emails will often present a convincing sense of urgency and may even threaten to take legal action or leak sensitive information if the employee doesn’t act quickly.
Related Article: Why You Need An Incident Response Plan Before A Cyber Incident Happens
Because of the increasing sophistication with which BEC attacks are being done, traditional security controls like antivirus and anti-malware software aren’t enough.
After reading this article, you now have a more complete understanding of what business email compromise is, how to spot it, and best practices to avoid falling prey to a BEC phishing scheme.
As we mentioned earlier, traditional security measures such as firewalls or antivirus and anti-malware software won’t prevent a BEC attack since hackers capitalize on human emotions as a work-around to carry out the scheme.
One advantage of using a managed IT service provider (MSP) is that they can implement robust security solutions to help safeguard your IT systems, including advanced network monitoring, multi-factor authentication, email monitoring software, employee security awareness training, and email filtering and anti-phishing tools.
We realize, however, that managed IT support is not the right fit for every business.
If you’re a small business with fewer than 10 employees, or you have an existing team of IT professionals who have the time and resources to devote to implementing these and other security measures, then you likely wouldn't benefit from using an MSP.
On the other hand, if you're considering external managed IT services, we urge you to do your research on several providers to find one that’s best suited for your business.
Regardless of whether or not you choose to work with Kelser, we are committed to providing honest, straightforward information in articles like this that you can use to keep your business running securely and efficiently.
Unsure if your organization’s security tools are up to the latest cyber threats? Click the link below for a free checklist you can use to:
✔️Understand where your organization's cybersecurity policy needs improving
✔️Learn five best-practices and actions you can take to keep your organization's data secure
✔️Help ensure your organization follows the latest cybersecurity best practices
Get your free cybersecurity checklist now, so you can take action against the latest cybersecurity threats and keep your business safe.