Business email compromise attacks are on the rise. Here's how to avoid getting duped.
Andrey_Popov // Shutterstock
Business email compromise attacks are on the rise. Here’s how to avoid getting duped.
Person looking distraught at system-hacked notification on a computer.
Cases where criminals pose as a co-worker to steal money from companies have been on the rise since the start of the COVID-19 pandemic.
These cyberschemes—known as business email compromise, or BEC—are sinister because they involve lying and deceit, and they come from real humans looking to cash in on workers’ negligence to verify information.
To encourage workplace vigilance, Drata analyzed complaint data from the FBI and threat trends reported by Verizon to illustrate recent tendencies in BEC cyberattacks.
In cases where a human is involved in data breaches, also referred to as social engineering, BEC attacks now comprise half of all incidents, according to Verizon’s 2023 Data Breach Investigations report. And when it comes to social engineering, anyone can be targeted, regardless of their level at a company.
These attacks aim to trick unsuspecting employees into directing company money to the criminal, either by hijacking legitimate email addresses or spoofing them. Spoofing is when someone disguises their identity over caller ID, makes it mimic another person, or, in the case of emails, tricks an email client into showing a false identity in the sender field. The fraudster may have developed a dossier on the person they’re disguised as, drawing on publicly available info from LinkedIn or other social media.
Once the email has been received, the criminal in disguise typically has a request. They may pose as a higher-up at the company, a board member, a vendor, or another person from whom it may seem normal to receive a request for sensitive or financial data.
At this point the attacker is “phishing,” as it’s called, for sensitive information that would allow them to gain something financially. If the attacker has earned the victims’ confidence, BEC scams can often make the victim vulnerable to malware or major losses.
BEC attacks resulted in the second-largest total losses in 2022, after investment scams, according to the FBI’s Internet Crime Complaint Center. And they’re becoming a bigger problem at the same time as the American workforce is getting more accustomed to remote meetings and hybrid work environments where more operations are conducted digitally.
Portrait Image Asia // Shutterstock
BEC complaints grew by 13% in recent years
Unseen computer hacker stealing information with laptop.
The frequency of these attacks has increased by 13% in the three years since 2020, and in 2022, losses from BEC scams totaled more than $2.7 billion, the FBI found. Complaints submitted to law enforcement help paint a picture of attack trends, but private sector sources also confirm the uptick in BEC scams.
Internet service provider Verizon’s annual report bolsters that point, based on its own security data as well as data from CrowdStrike, Palo Alto Networks, NETSCOUT, the Secret Service, and dozens of other security organizations. Verizon’s analysis found that BEC attacks nearly doubled in 2023 compared to the previous year.
Companies must keep pace with preventative measures and mitigation efforts, as cybercriminals have developed more sophisticated scamming tactics—going beyond the inbox.
As the FBI reports, fraudsters engaging in BEC scams are more commonly targeting investment account information over traditional bank account information—but rather than using email, they’re using duped phone numbers to fool victims into thinking they’re speaking with an actual real estate agent or vendor to set up a payment.
Frame Stock Footage // Shutterstock
BEC attacks open the door for more than just malware
Woman technician working on a tablet in a data center full of rack servers.
These attacks don’t end with simply gaining sensitive information from the victims. They often are a setup for criminals to intercept a wire transfer or install malware, with ransomware being the most common form. The attacker may also use credentials they tricked the victim into handing over to cause more destruction. Over the last several years, losses from BEC schemes have increased, with the typical attack costing $50,000, according to Verizon’s latest annual figures.
Tero Vesalainen // Shutterstock
How to avoid becoming the victim of a social engineering attack like BEC
Woman holding smartphone with locked screen.
In BEC schemes, the attacker may make it seem like money needs to be sent urgently, but rushing can be a recipe for loss. As with any potential security compromise, it also helps to read carefully. Read emails and inspect and research the email address fields or caller ID of the person requesting payment information.
One of the throughlines in any advice from law enforcement and cyberprofessionals for guarding against these kinds of attacks is the benefit of increasing the number of steps or the number of people required before someone can share sensitive information.
The FBI recommends setting up two-factor or multifactor authentication on email accounts and other web applications where possible. It also recommends company employees verify payments by communicating with the authorizing person in some other way than email before releasing the funds.
Rawpixel.com // Shutterstock
Recovering from a BEC attack
Email inbox with a pop-up scam alert window.
If an organization or employee believes they’ve been targeted by a BEC attack, the FBI recommends contacting the financial institution where the stolen funds originated from as soon as possible. The victim contacting the financial institution can request a reversal of the funds and a so-called “hold harmless letter” that can keep victims from being held liable for the crime. But the FBI also recommends filing a detailed report about the incident to the Internet Crime Complaint Center.
Reporting an incident to the FBI’s internet crime division requires submitting the victim’s mailing address, email address, phone number, a description of the incident, bank and bank account details, the dates and amounts of the transactions, and the instructions the alleged attacker provided the victim. The center does not investigate cases but forwards them to the appropriate law enforcement agency, which may request documentation of messages sent and other data related to the crime.
Story editing by Jeff Inglis. Copy editing by Paris Close. Photo selection by Clarese Moller.
This story originally appeared on Drata and was produced and
distributed in partnership with Stacker Studio.