What is Business Email Compromise (BEC)?
BEC is a type of cybercrime where scammers or hackers pretend to be something they’re not to trick employees into sharing sensitive information or transferring funds.
To provide you with a better understanding, consider the fictional case of a well-established company that received an email from their “CEO” urgently requesting a transfer of $50,000 to a new vendor. The finance manager carried out the request swiftly, only to realize later that it was a scam. This event is BEC in action — a hoax where criminals impersonate people to exploit businesses.
FBI records show domestic and international companies faced a colossal loss of $50 billion due to BEC scams. Moreover, the damage isn’t just financial; it can often severely tarnish a company’s reputation.
How to Identify and Assess BEC Risks
How do we spot the red flags? BEC scams often adopt tactics like spear phishing or CEO fraud. For instance, consider an example where company received an email from a “trusted vendor” citing an account number change to pay an outstanding invoice. Thankfully, their sharp-eyed manager caught the scam by verifying the information through a direct call to the vendor. It’s a challenging landscape currently, but vigilance can make all the difference. Spotting inconsistencies in email addresses, language use, and irregular requests can be clues to identifying these BEC scams.
Different Types of BEC Scams
- Data Theft: Scammers may target the HR department to steal company information like schedules or personal phone numbers. This helps them carry out other BEC scams more convincingly.
- False Invoice Scheme: By posing as a legitimate vendor your company works with, the scammer emails a fake bill that resembles a real one. They might manipulate account numbers or ask you to pay a different bank due to an alleged audit.
- CEO Fraud: Scammers may either impersonate or illicitly access a CEO’s email account to get employees to make purchases or conduct wire transfers. In some cases, they may request pictures of gift card serial numbers.
- Lawyer Impersonation: If hackers gain illicit access to a lawyer’s email account, they can dispatch invoices or payment links to clients. While the email address is genuine, the linked bank account is deceptive.
- Compromised Financial Accounts: Through phishing or malware, scammers gain access to a finance employee’s account. Let’s say they access an accounts receivable manager’s account. The scammer than emails supplier counterfeit invoices to an illegitimate bank account.
The Golden Rules of BEC Risk Mitigation
Now that we know what we are up against let’s talk solutions. Training is your first line of defense — Period. Did you know that 91% of cyberattacks start with an email? Empowering your team to identify and report suspicious emails is essential. In addition to training, here are some golden rules to live by:
- Be careful with what information you are sharing online and on social media – scammers often use information found online to craft believable scams.
- Don‘t click on anything suspicious – if it seems suspicious, it probably is.
- Carefully examine any email addresses, URLs, and spelling mistakes that are used in correspondence used in correspondence – sometimes, a small typo is a dead giveaway.
- Be careful what you download – unwanted downloads can bring along unwanted troubles.
- Be wary if the requester is pressing you to act quickly – scammers love to create a sense of urgency to trap you.
Beyond training and adopting these rules, it is important to have robust technological measures in place, such as email filtering and multi-factor authentication (MFA). And remember, always have a protocol for rapid response in case you detect a breach.
In the grand scheme of things, BEC is like a sly imposter trying to trick us in our business environment, via email. But with a watchful eye and a well-prepared team, you can defend against BEC scams.
Interested in learning more? Fill out the form below and one of our representatives will be in touch with you shortly.