How to Protect Your Business Email From Being Compromised (BEC)
Table of Contents
- By Emmett
- Jul 15, 2022
Business email compromise or BEC, also known as email account compromise, can cost your business hundreds or thousands of dollars in lost revenue. Due to the essential role email plays in businesses of all sizes, this crime has become a significant priority for investigative agencies like the FBI. The best way to protect your business is to know the definition of the scam and learn its warning signs since both personal and private emails are at risk.
What is BEC?
Business Email Compromise (BEC) Definition: The criminal spoofing of a business or personal email address connected to a specific company to steal information or money.
A BEC scam will start as an email coming from what you believe is a trusted source, like a supervisor, coworker, or even a loved one. After gaining your trust, these scammers will attempt to retrieve login details or other information to gain privileged access to accounts or networks. People often see this in several forms, including:
- Fake Links: BEC emails may contain a link claiming to redirect you to a website your company requires that you use. It could be the official website of your business, an internal intranet, or even a linked social media account. These spoofed sites include a login bar where you must enter your account details. Once entered, the criminals will take this information and impersonate you through whatever channels those credentials facilitate.
- Malicious Downloads: Another common BEC tactic is for scammers to pretend to be a superior or coworker to get you to download malware. These malicious downloads allow cybercriminals to quickly infiltrate protected networks, falsify documents, and find further victims to contact. Malware can also open the door to higher-level spoofing scams, where criminals impersonate officers within a company who have access to higher-level accounts.
- Spearphishing: By attempting emails to multiple victims within a single company, criminals will use spear phishing to try to net various sources of information all at once. The goal is to get company data, account details, or other sensitive information that can either be used for a ransomware scheme or to directly wire transfer money out of company accounts.
Due to the open-ended nature of spoofing and cybercrime, there are countless ways that a BEC scam can manifest itself within a business. By identifying the common signs and examples of this type of fraud, you can protect your company, coworkers, and yourselves from becoming victims.
Business Email Compromise Examples
There are five primary types of BEC fraud:
- False Invoice
- Account Compromise
- Fake Legal Representation
- CEO Impersonation
- Data Targeting
Each BEC type has its own advantages and disadvantages for cybercriminals, and your business may encounter multiple versions depending on your industry, company size, and level of cybersecurity.
1. False Invoice
Many companies use suppliers overseas or 3rd party services where there is little in-person interaction between the business and the supplier. Since most of the payment and almost all invoicing is done online, it opens the company up to a BEC scam. By impersonating these foreign suppliers, scammers will send a false invoice tied to accounts they can access. Once the money is sent, they will withdraw the money, close the account, and erase as much evidence of their interactions as possible.
2. Account Compromise
The damage that can occur when an account becomes compromised depends on the employee's role within a company. If a lower-level staff member has their account hacked, scammers can only access any accounts or information that particular employee accessed. If a higher-level executive is hacked, on the other hand, scammers could get deep into a company's network. BEC fraud involving executives can also affect other companies your business works with, as the leaks contain contact information and sensitive account details connected to that account.
3. Fake Legal Representation
Many companies have legal representation in the case of litigation, but ones that don’t may be contacted regularly by attorneys or law firms looking to represent them. A BEC scammer impersonating a lawyer will usually target companies that have recently been the target of controversy, reaching out to see if they need any help dealing with whatever issues have arisen. Once they’ve convinced you they are trustworthy, they’ll use the supposed confidentiality associated with legal representation to gather privileged information. This can include financial data, client lists, supplier info, and many other details they can use to defraud your company.
4. CEO Impersonation
A common tactic BEC scammers use when targeting lower-level employees is CEO impersonation. This involves pretending to be a top-level executive during email communications and convincing a staff member they are communicating with the head of the company. Once the employee is convinced, the fake CEO will persuade them into sending money or information via email. One of the most frequently requested items is gift cards. A scammer will ask the employee to send them gift cards for some vaguely business-related purpose, which they can then use as a virtually untraceable form of currency. Unlike a credit card, getting refunded money from a gift card is much harder, even if it's determined the transaction was fraudulent.
5. Data Targeting
If a BEC scam targets a company's accounting or human resources department, they are almost always looking to harvest data. This data could relate to the financial accounts of the company, tax information of the employees, or personal data of the executives. Scammers use this information to either drain the bank accounts of the business or staff directly or hold the information ransom for a future fraud scheme.
What Should I Do If a BEC Scam Occurs?
If you have been the victim of a BEC scam, you should first report the incident to your company. They will help identify the information that is at risk and look at any accounts that could be affected. You should conduct a free identity threat scan if you believe your personal information has been leaked. These scans can help you see whether your data has been breached and whether or not you are at risk for identity theft.