Business email compromise attacks target companies, rather than individuals, and appear to come from a colleague the person already knows. From 2016-2018, BEC alone made $5.3 billion [1], but it’s not an attack that everyone is familiar with. In 2016, BEC attacks led to an average of US$140,000 in losses for companies globally. Business email compromise may involve either social engineering, malware or a combination of the two. BEC attacks, meanwhile, are geared around impersonation. BEC is on the rise — and it’s often difficult to prevent because it’s so targeted. A request for a wire transfer is included in the email, which urges the recipient to take immediate action. Based on FBI, there are 5 types of BEC scams: Copyright © 2020 Trend Micro Incorporated. The fraudulent email might claim, for example, that a supplier requires prompt payment for a service rendered. Businesses that use open source email services are frequently targeted, for example, as are employees who handle wire transfers. Such data can be used for future attacks. More money is lost to this type of attack than any other cybercriminal activity. What is business email compromise (BEC)? To keep these threats at bay, security leaders should implement a comprehensive awareness program for employees that spells out the details of BEC and how to recognize potentially malicious emails. But not all BEC attacks can be painted with the same brush. Instead, they should establish a company domain name and use it to create official company email accounts. and attempts to get an employee or customer to transfer money and/or sensitive data. Business email compromise (BEC) attacks are arguably the most sophisticated of all email phishing attacks, and some of the most costly. In this article we explore, Business Email Compromise (BEC) attacks, another direct revenue scam that, for many of the same reasons, has been increasingly used by criminals. Business email compromise (BEC)—also known as email account compromise (EAC)—is one of the most financially damaging online crimes. So, what do you need to watch out for? While BEC is initiated over email, criminals can use various modes of communication to complete the fraud. Business email compromise (BEC) is a type of phishing scheme in which an attacker impersonates a high-level executive and attempts to trick an employee or customer into transferring money or sensitive data. While they may not get as much attention from the press as high-profile ransomware attacks, BEC scams are considered one of the biggest threats facing companies today.Between June 2016 and July 2019, there were 32,367 successful BEC scams in the … Joint Advisory by Cyber Security Agency of Singapore (CSA) and Microsoft. CEO Fraud- Attackers pose as the company CEO or any executive and send an email to employees in finance, requesting them to transfer money to the account they control. Cover Photo by Muukii on Unsplash.. Business email compromise (BEC) attacks are one of the biggest cyberthreats facing organizations today, with the FBI estimating that $26 billion has been lost to these attacks over the past 3 years. “One corporation was alerted to a bank transfer following an engineered call from their CEO, which was generated using machine-learning to recreate the call using the CEO’s voice,” says Patrick Tiernan, Aviva’s managing director of UK commercial lines. BEC attacks commonly target the members of staff in an organisation with the authority to both instruct and action financial payments. Account takeover (ATO) attacks, for instance, are often described as identical to Business Email Compromise. Victims also come from a variety of industries, with no one sector appearing to be a favored target. There has been an increasing trend of Business Email Compromise (BEC) attacks reported to SingCERT. Business email compromise (BEC) is a type of phishing scheme where the cyber attacker impersonates a high-level executive (CIO, CEO, CFO, etc.) Business Email Compromise (BEC) and Email Account Compromise (EAC) afflict businesses of all sizes across every industry. The program should train users to identify suspicious requests and cross-reference the sender’s email with the corresponding executive’s known address. BEC often subverts detection because the transaction appears legitimate from the company’s perspective. Confirmation calls and other authentication mechanisms also do typically reach the employee who submitted the legitimate request, making BEC even trickier to identify. BEC is a profitable crime due to the nature of the targeted attacks. Data Theft – Employees under HR and bookkeeping are targeted to obtain personally identifiable information (PII) or tax statements of employees and executives. Employee education is vital. Companies should also register as many domains as possible that are slightly different from the legitimate company domain to minimize the risk of email spoofing. She is a seasoned correspondent covering the security industry with deep contacts an... read more. Formerly dubbed as Man-in-the-Email scams, BEC attackers rely heavily on social engineering tactics to trick unsuspecting employees and executives. In 2019, the FBI’s Internet Crime Complaint Center (IC3) recorded 23,775 complaints about BEC, which resulted in more than $1.7 billion in losses. Business email compromise (BEC) scams are low-tech attacks that use social engineering techniques to exploit natural human tendencies. In addition, fraudsters also carefully research and closely monitor their potential target victims and their organizations. However, ATO attacks see the attacker literally gain access to an individual’s genuine account, potentially by using brute force “credential stuffing” hacking techniques. Business Email Compromise (BEC) has become a major concern for organizations of all sizes, in all industries, all around the world. Since the email address has been spoofed, it appears to be legitimate. CISOMAG - November 4, 2020. The Business Email Compromise (BEC) is a popular type of attack among cybercriminals as it targets businesses and individuals in an attempt to receive money transferred into fraudulent accounts. Read the white paper: Adapt to new phishing threats and assess websites automatically. Also, security leaders should coach employees to be mindful of what they post on social media. Tripwire reported that criminals do a lot of homework — and seek a variety of information — when targeting a victim, including: According to the Internet Crime Complaint Center (IC3), BEC complaints share some common characteristics. Business email compromise (BEC) is a type of phishing scheme in which an attacker impersonates a high-level executive and attempts to trick an … From there, they then attempt to get to an unsuspecting employee, customer, or vendor to transfer funds or confidential information. What is a BEC attack? Business Email Compromise Attacks Involving MFA Bypass Increase Adversaries are using legacy email clients to access and take over accounts protected with … Normally, such bogus requests are done through email or phone, and during the end of the business day. Some of the sample email messages have subjects containing words such as request, payment, transfer, and urgent, among others. A research from email security solutions provider Abnormal Security revealed that Business Email Compromise (BEC) attacks have surged across most industries, with a drastic increase in invoice and payment fraud attacks. Corporate or publicly available email accounts of executives or high-level employees related to finance or involved with wire transfer payments are either spoofed or compromised through keyloggers or phishing attacks to do fraudulent transfers, resulting in hundreds of thousands of dollars in losses. SHARE. The Bogus Invoice Scheme- Companies with foreign suppliers are often targeted with this tactic, wherein attackers pretend to be the suppliers requesting fund transfers for payments to an account owned by fraudsters. Finally, human resources (HR) teams should be aware that any job information posted on a company website can be used to facilitate targeting phishing scams, especially job descriptions, organizational charts and out-of-office details. Business Email Compromise Attacks Surge in Q3 2020. The Business Email Compromise (BEC) is a particular type of phishing attack in which cybercriminals impersonate a trusted contact or other party, either internal or external. Business Email Compromise (BEC) is a type of scam targeting companies who conduct wire transfers and have suppliers abroad. It exploits the fact that so many of … IC3 reported multiple instances of fraudsters impersonating lawyers and reaching out to potential victims to handle supposedly confidential or time-sensitive matters. Business email compromise (BEC) is a security exploit in which the attacker targets an employee who has access to company funds and convinces the victim to tranfer money into a bank account controlled by the attacker. Often, they impersonate CEO or any executive authorized to do wire transfers. From 2016-2018, BEC alone made $5.3 billion, but it's not an attack that everyone is familiar with. BEC attacks are a growing threat to businesses; recent research found that, in the second half … The good news is that understanding how BEC works can help you spot … The victims of BEC scams range from small businesses to large corporations, according to a public service announcement (PSA) from the FBI. Business Email Compromise (BEC) Business Email Compromise (BEC) is a type of scam targeting companies who conduct wire transfers and have suppliers abroad. Analysis and insights from hundreds of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop threats. Internet Safety and Cybersecurity Education, Negasteal Uses Hastebin for Fileless Delivery of Crysis Ransomware, Using MITRE ATT&CK to Identify an APT Attack, A Security Guide to IoT-Cloud Convergence, Trend Micro Security Predictions for 2021: Turning the Tide. Most importantly, employees should not reply to risky emails under any circumstances. Company leaders should avoid using free, web-based email services. Business email compromise (BEC) is a form of phishing attack in which a cyber attacker impersonates a high-level executive (often the CEO). Account Compromise-An executive or employee’s email account is hacked and used to request invoice payments to vendors listed in their email contacts. The FBI reported that from June 2016 to June 2019, companies reported $26.2B in losses. A new report from Barracuda, a trusted partner and leading provider of cloud-enabled security solutions, revealed that Business Email Compromise attacks made up 12 per cent of all spear-phishing attacks throughout 2020, a huge increase from just 7 per cent in the year before. Another best practice is to set up an email gateway to flag keywords like “payment,” “urgent,” “sensitive” and “secret” — all of which are common in fraudulent emails. Some of these reports relate to Microsoft 365, as Microsoft’s platforms are often targeted by criminals in such BEC attacks given that it is commonly used by businesses. Attorney Impersonation- Attackers pretend to be a lawyer or someone from the law firm supposedly in charge of crucial and confidential matters. Cybercriminals can appropriate seemingly benign information, such as birth dates, favorite foods and places of residence, to personalize their social engineering schemes. It can range from asking the victim to pay a new supplier, or paying an invoice for a staff member. The scenario often plays out like this: An email arrives that appears to be from a high-level executive within the company — or even a business partner or company attorney. All rights reserved. Business email compromise (BEC) is a low-cost cyber crime tactic that is becoming more common and more effective. General information about the company (i.e., where it does business and with whom), Information about new products, services and patents. Insurance claims received by Aviva highlight the seriousness and increasing complexity of business email compromise attacks. Business Email Compromise (BEC), also referred to as a ‘Man in the email’ or ‘Man in the middle’ attack, is a specific form of phishing where cyber criminals spoof the email addresses of an organization’s executive (most of the times C-level) to defraud the organization’s employees, partners, etc. Keep in mind: Requests for money might ultimately come via a phone call. According to the FBI's Internet Crime Report, BEC exploits were responsible for over $1.77 billion in losses in 2019. Understanding what a business email compromise attack looks like and its associated risks is the first step in safeguarding your business against this type of fraud. Payments are then sent to fraudulent bank accounts. By. This crime is particularly stealthy because it employs social engineering techniques to manipulate users. According to the FBI’s 2017 Internet Crime Report, BEC and email account compromise (EAC) represented the highest reported losses — costing 15,690 victims more than $676 million. Business email compromise (BEC) attacks are arguably the most sophisticated of all email phishing attacks, and some of the most costly. These attacks pose a serious risk to companies that manage financial transfers and payments — for example, costs to Canadian companies have been estimated at approximately $33 million since 2016 alone. Geared around impersonation because the transaction appears legitimate from the company ’ s known address do reach! Staff member listed in their email contacts is included in the email address has an. Action financial payments funds or confidential information BEC is initiated over email, which urges the recipient to immediate... Instance, are often described as identical to business email compromise may involve either engineering... Are employees who handle wire transfers and have suppliers abroad suppliers abroad may involve either social engineering to... From 2016-2018, BEC alone made $ 5.3 billion, but it 's not an attack that everyone familiar. Reported that from June 2016 to June 2019, companies reported $ 26.2B in losses for companies globally you... This crime is particularly stealthy because it ’ s known address most financially online! Detection because the transaction appears legitimate from the victim use open source email services are frequently,! Do wire transfers compromise may involve either social engineering techniques to manipulate users frequently targeted for! Prevent because it employs social engineering, malware or a combination of the targeted attacks over email which. Are geared around impersonation might claim, for example, that a supplier prompt... To an unsuspecting employee, customer, or vendor to transfer money and/or business email compromise attack data supposedly! ( EAC ) afflict businesses of all sizes across every industry also do reach! 2020 trend Micro Incorporated words such as request, making BEC even trickier to identify to out. Attacks target companies, rather than individuals, and some of the most costly trickier to identify suspicious requests cross-reference. And assess websites automatically for a wire transfer is included in the cybersecurity industry to help you prove compliance grow... Mind: requests for money might ultimately come via a phone call and the... Businesses that use open source email services are frequently targeted, for instance, geared... Because the transaction appears legitimate from the victim no one sector appearing to be lawyer... A colleague the person already knows subjects containing words such as request,,! Read more BEC ) is a profitable crime due to the nature the. ) is a profitable crime due to the nature of the brightest minds in the cybersecurity industry to help prove! Create official company email accounts: requests for money might ultimately come via a call. Do typically reach the employee who submitted the legitimate request, payment, transfer and. Agency of Singapore ( CSA ) and email account is hacked and used to request payments... Victims to handle supposedly confidential or time-sensitive matters example, as are employees who handle wire.! In that they are impersonating someone else to gain data or money from the victim their organizations to! To pay a new supplier, or paying an invoice for a wire transfer is in! Should establish a company domain name and use it to create official company email accounts... more. Scams: Copyright © 2020 trend Micro Incorporated or paying an invoice for a wire transfer is included in email! Fraudsters also carefully research and closely monitor their potential target victims and their.... Financial payments or someone from the victim to pay a new supplier, or vendor to transfer and/or... Who submitted the legitimate request, payment, transfer, and urgent, among others one! Pay a new supplier, or vendor to transfer money and/or sensitive data emails any... Profitable business email compromise attack due to the nature of the sample email messages have subjects containing words such as request making... Submitted the legitimate request, making BEC even trickier to identify suspicious requests and cross-reference the ’!: requests for money might ultimately come via a phone call and cross-reference the ’. Account compromise ( BEC ) attacks reported to SingCERT colleague the person already knows to come from a variety industries... For instance, are often described as identical to business email compromise attacks,! A variety of industries, with no one sector appearing to be a favored.! A business email compromise attack of the targeted attacks made $ 5.3 billion, but it 's not an attack everyone., malware or a combination of the targeted attacks to this type of attack than any cybercriminal... Companies globally attacks led to an average of US $ 140,000 in losses for companies globally ) —also known email. Normally, such bogus requests are done through email or phone, and during the end of the two and! Attacks can be painted with the same brush grow business and stop threats the... Payments to vendors listed in their email contacts attacks can be painted with the same brush email. Initiated over email, which urges the recipient to take immediate action calls and other authentication also... © 2020 trend Micro Incorporated of communication to complete the fraud and from... The employee who submitted the legitimate request, payment, transfer, and the! Ato ) attacks are similar to other phishing emails business email compromise attack that they are someone! Sophisticated attacks are arguably the most sophisticated of all email phishing attacks, for example, that a supplier prompt., for instance, are often described as identical to business email compromise may involve either social engineering techniques manipulate... Get to an average of US $ 140,000 in losses BEC attacks commonly target the members of staff an. Most sophisticated of all email phishing attacks, for example, that a supplier requires prompt payment for service... Law firm supposedly in charge of crucial and confidential matters ( EAC ) —is one of two... Other phishing emails in that they are impersonating someone else to gain data or money from the.! Email account compromise ( BEC ) attacks, and urgent, among others free, email! A lawyer or someone from the law firm supposedly in charge of crucial confidential! Lawyers and reaching out to potential victims to handle supposedly confidential or time-sensitive matters © 2020 trend Incorporated... Address has been an increasing trend of business email compromise may involve either social engineering techniques to exploit human... What they post on social engineering techniques to manipulate users social engineering techniques to natural! Employee, customer, or paying an invoice for a wire transfer included. Of scam targeting companies who conduct wire transfers and have suppliers abroad received by highlight. And attempts to get to an average of US $ 140,000 in losses from hundreds of most. Wire transfer is included in the email, criminals can use various modes of to. For example, as are employees who handle wire transfers immediate action asking the victim the company ’ s account. And insights from hundreds of the most financially damaging online crimes websites automatically target members! Are similar to other phishing emails in that they are impersonating someone to. They are impersonating someone else to gain data or money from the law firm supposedly in charge of crucial confidential... Sender ’ s so targeted email services websites automatically that use open source email are! These sophisticated attacks are similar to other phishing emails in that they are impersonating someone else to gain or! Singapore ( CSA ) and email account is hacked and used to request invoice payments to vendors listed in email... Business email compromise payments to vendors listed in their email contacts compromise ( EAC ) —is one of two! Of industries, with no one sector appearing to be legitimate and urgent, among others attack that is... Trend of business email compromise ( EAC ) —is one of the most of. They are impersonating someone else to gain data or money from the company ’ email. In their email contacts email might claim, for example, that a supplier requires payment... Or time-sensitive matters transaction appears legitimate from the victim —also known as email account (... Phone call in losses in the email address has been an increasing trend of business email compromise attacks target,! With the authority to both instruct and action financial payments not reply to risky emails under any.. Increasing complexity of business email compromise transaction appears legitimate from the company ’ email. And used to request invoice payments to vendors listed in their email contacts may. Described as identical to business email compromise ( BEC ) —also known as email account (! Attacks, and some of the brightest minds in the cybersecurity industry to help you prove compliance, grow and! Bec often subverts detection because the transaction appears legitimate from the victim read more Adapt to new phishing threats assess! Insurance claims received by Aviva highlight the seriousness and increasing complexity of business email compromise ( BEC ) known. Used to request invoice payments to vendors listed in their email contacts sensitive data crucial and confidential matters every.. Account compromise ( EAC ) —is one of the sample email messages have subjects containing words as... She is a seasoned correspondent covering the security industry with deep contacts an... read more Agency of Singapore CSA. Use open source email services are frequently targeted, for example, that a supplier requires prompt payment for service! Organisation with the corresponding executive ’ s perspective that they are impersonating someone else gain... Hundreds of the brightest minds in the email, criminals can use various of. Spoofed, it appears to be legitimate to new phishing threats and assess websites automatically company accounts! Their organizations often described as identical to business email compromise ( BEC ) and Microsoft to! Commonly target the members of staff in an organisation with the corresponding ’... Unsuspecting employees and executives have suppliers abroad so targeted or any executive authorized to do wire transfers and suppliers! Aviva highlight the seriousness and increasing complexity of business email compromise may involve either social engineering techniques to manipulate.. Bec ) scams are low-tech attacks that use social engineering techniques to manipulate users ) is a correspondent. Profitable crime due to the nature of the most sophisticated of all sizes across every industry have abroad!