Business email compromise (BEC) is one of the most financially damaging cyber crimes currently facing businesses. Organizations often experience losses in the hundreds of thousands, if not millions, of dollars before this exploit is discovered. According to the FBI Internet Crimes Complaint Center, there were almost 22,000 complaints of BEC, resulting in over $2.7 billion in losses in 2022, which was over 25% of total financial losses due to cyberattacks.1 Google and Facebook collectively lost over $121 million to a BEC attack by Evaldes Rimasauskas from 2013 to 2015, demonstrating that even mature high-tech companies can fall victim to this nefarious attack vector.
Not only is BEC a high-dollar attack, but it can also be accomplished in a very quick and efficient manner. Microsoft’s security intelligence team investigated an attack and found it can take attackers just a few hours to complete the attack.2 What exactly is an attack that can be carried out at that speed with such a huge financial impact?
BEC can come in multiple forms. Attackers can either use real or impersonated email accounts or a combination of the two. BEC attacks typically leverage a successful social engineering attack. Impersonated email accounts are very easy to set up. The attacker only has to purchase a domain with a very similar spelling to the target domain or one with a Cyrillic character instead of the Roman character. For example, newestloan.com is not the same as newestloan.com. In a rush or simply glancing at the email address may not make it readily apparent that the t in the second domain is actually a Cyrillic t. Now the attacker creates an email address of the CFO of a vendor of the target company. The impersonated CFO sends an email to the accounts payable (AP) staff at the target company, stating they need to change their banking information before the next payment is processed. If the AP staff takes the bait, the banking information for the legitimate vendor is changed to that of the attacker. At this point, the next accounts payable run will result in funds being transferred into the attacker’s account. This will continue until such time as the target company learns they are not paying the real vendor.
What can businesses do to protect themselves from becoming a victim of BEC? One of the most effective measures to help prevent BEC is to train your employees. Security awareness training should have specific modules on BEC so employees know what it is, how to recognize it, and what to do when they suspect it. Organizations should also have policies in place that require dual control to change banking information for a vendor, customer, or employee. Your policy should also be such that banking information is not changed by email request. If such a request is made, a phone call to an already known good phone number should be made to the primary contact for the vendor, customer, or employee to confirm this information. It is also worth noting that sending banking information in clear text in an email is never secure and if it is determined that a legitimate request is made via email, remind the sender that this is not secure and recommend secure alternative methods of communication.
Organizations should also consider purchasing domain names that are similar to their own domain to keep potential attackers from buying and using it. Multifactor authentication should be enabled for your email. There are also many quality advanced email protection tools available that will help identify impersonation emails. Your organization should also monitor leaked or compromised credentials that are for sale on the Dark Web. If these are discovered, it is important to notify the user or users to change those passwords immediately.
Remember, cybersecurity is a team sport and everyone in your organization has a role to play!
Authors: Edward Keck, Jr., Partner, Market Leader – Cyber and Information Security | Julie Tracy, Executive Cybersecurity Advisor | [email protected]
For more information on this topic, please contact a member of Withum’s Cyber and Information Security Services Team.