How do Cyberattackers Carry out BEC Schemes?
Business email compromise (BEC) or email account compromise (EAC) is one of the most financially damaging online crimes, exploiting the fact that email is a common tool for conducting business, both personally and professionally.1 In a BEC scam, cyberattackers send out an email that appears to come from a legitimate source making a legitimate request. A cyberattacker might use different approaches such as portraying themselves as a known vendor and emailing an invoice with new email address, posing as an administrator asking an assistant to buy gift cards for employees- asking for gift card numbers, or sending a homebuyer an email posing as a title company, asking to wire a down payment. These are real life scenarios where thousands of dollars were sent to cyberattackers.
Cyberattackers use some of the following approaches to carry out their scam:
Spoofing. A cyberattacker may make a slight variation on an account or website, such as adding an extra letter. This fools victims into believing that the message is legitimate.
Spearfishing. Spearfishing emails appear like they are from a trusted source in an effort to trick victims into sharing confidential information. This information can be used to access company accounts, calendars, or sensitive data that gives them sufficient information to carry out the BEC schemes.
Malware. Cyberattackers can install malicious software to infiltrate a company network to gain access to legitimate email threads about financial transactions. Using this information, the cyberattacker can time requests and messages in such a way that accountants believe they are receiving timely and legitimate payment requests. Malicious software can also allow cyberattackers to gain access to victim’s data, including passwords and financial information, without being detected.
In order to protect yourself and your organization:
Be careful about the information that you share online and on social media. Public details that you share about your personal life such as pet names, schools that you attended, names of family members, and birthdates can all be used to guess your passwords or to answer your security questions. Apply privacy settings to your social media accounts so that they are not publicly available.
Do not click on request via text or email to verify account information. In order to verify if you are receiving a legitimate request, contact the organization using contact information that you have already or that you find online; do not use links or phone numbers provided in the message as they could be redirecting you.
Carefully examine email addresses and URLs. Cyberattackers rely on you missing small details in order to trick you into clicking on malicious links.
Download carefully. Never open an email attachment from someone that you don’t know, or attachments that you were not expecting, and be wary of forwarded attachments.
Set up two-factor or multi-factor authentication. This makes it more difficult for cyberattackers to breach your accounts.
Verify financial transaction details. Ensure that requests for payment are legitimate by contacting the individual personally. Verify any changes in account numbers or payment procedures.
Take it slow. Any request for you to act quickly should be regarded with suspicion.
1 FBI, 2021, “Business Email Compromise”