Here Is What You Need to Teach Your Employees about Business Email Compromise

In August, the Department of Justice announced the extradition of three Nigerian citizens from the UK to the US for allegedly running business email compromise (BEC) scams. The alleged perpetrators and their co-conspirators targeted various entities, including universities and government organizations, in North Carolina, Texas, and Virginia.

Between 2016 and 2017, they collected vital information about significant up and coming construction projects across the country. With the obtained data, they registered fake domains that were very similar to the legitimate construction companies’ domains. They also created email addresses that imitated those of the employees and used them to trick and direct unsuspecting victims to wire payments to alternate bank accounts. Once they received the payments, they laundered the stolen proceeds through various financial transactions that were drafted to cover up the fraudulent activity.

The criminals stole more than $1.9 million from North Carolina University, upwards of $3 million from different entities in Texas, and almost $5 million from Virginia University.

In 2021 alone, the FBI received more than 19,954 BEC complaints that amounted to nearly $2.4 billion in losses. In this article, we will discuss what BEC is, its impact on organizations, as well as how organizations can safeguard against them.

How BEC attacks are executed

Business email compromise is a type of cybercrime that uses email as its vector. Here, threat actors carefully scout and imitate individuals within organizations to swindle unsuspecting victims via email, usually asking them to reveal sensitive data or make an urgent financial transaction.

These attacks are often successful since they are highly targeted and can evade traditional security solutions. Here, cybercriminals prey on human nature and trust in order to carry out their exploits. Moreover, they use trusted domains and platforms for their activities — that can bypass threat intelligence detectors. 

This is how a typical BEC attack operates:

First up is target identification. Since these are specialized attacks, cybercriminals extensively research their target organizations: their dealings, employees, partners, etc. Higher-ranking officials and those that have access to valuable data or funds are often the primary target. Moreover, they also create a list of email addresses or domains they can spoof to run their exploits.

This is followed by the insertion of social engineering tactics. Threat actors try to establish trust with their victims. They do so by employing techniques like spear-phishing and vishing. This may go on for a few days or weeks.

Next, comes the main event – the attack launch. Threat actors can now use the gained trust to email their victims, urging them to wire a payment to a fake account or send over sensitive information.

Finally, once the extorted funds reach the fake account, the criminals conspicuously launder the money so that it is untraceable by authorities or the victim organization.

According to the FBI, the 5 most common types of BEC scams include false invoice schemes, CEO fraud, account compromise, attorney impersonation, and data theft.

Current trends surrounding BEC

Organizations of all sizes – both from the private and public sectors are heavily impacted by BEC incidents. Due to their great success rate, these attacks have grown in number and sophistication. Cybercrimes like stealing personal identifiable information (PII) and email account compromise (EAC) have gained prominence from BEC. These affect cloud environments and cryptocurrency wallets, among others.

Furthermore, the cost of BEC attacks has gone up exponentially. Between 2016 and 2021 they cost over $43 billion globally. A great contributor to this was the overnight switch to remote working during the pandemic, which made employees even more reliant on email as the main form of communication.

While money is the main motive, in some cases, threat actors steal and sell critical, sensitive, or confidential data.

What you should teach your employees to safeguard against BEC

For these attacks, a state-of-the-art cybersecurity system and network will not be enough.  Employees must be sharp and know what to look out for if danger approaches. Here are some ways to do so:

1. Regularly conduct training and assessments on how to spot and deal with potential cyberthreats. When it comes to BEC, they should particularly be well informed on various social engineering tactics.

• Explain to your employees the danger of sharing personal information online – nicknames, names of family members, pet names, detailed job duties and descriptions, job hierarchies, etc. This information can be used to impersonate them or hack into their accounts by providing answers to security questions. 

• Urge your staff to be wary of all emails and requests coming in, especially those requesting “urgent”  wire transfers or sensitive information. It’s safest to double check such requests with your IT department, colleagues, higher-ups, and vendors.

• Explain the importance of keeping an eye out for details – e.g., any letter/character/number changes in an email address or domain. Threat actors usually rely on employee negligence in these fields.

• Teach your employees why opening or clicking on anything in an unsolicited email without proper verification is dangerous. They could contain links or attachments that are infected with malware and can provide threat actors access to your organizational system and network.

• Invest in efficient cybersecurity tools like antivirus, antimalware, as well as multi-factor authentication on business email accounts. Moreover, protect your domain by securing it to prevent any possibility of BEC attacks.