Business email compromise is a form of scam whereby the attackers target companies and corporations with the intent to extract money fraudulently. The methods used by attackers in a BEC attack vary but they all follow a certain pattern that can be observed in all, if not, most of the BEC complaints.
Typically a scammer builds a profile of their target company and its executives, then use this profile to curate an attack using social engineering to make the employees, especially those that deal with the company’s finances believe that they are conversing with a real business client or even their higher ups. The way this works is that thanks to the plethora of online platforms, information on anyone has become mostly widely available. Avenues for gathering such information include social media pages, LinkedIn profiles and so on. Armed with the scraped data, attackers are then able to understand a certain profile and thus create a persona that they can later use to manipulate employees to do their bidding.
Typical scenarios
A typical BEC scenario involves the following:
Case a)
- The attackers pick a target mostly companies in which they can extract money from.
- An email is sent to finance to request payment for an invoice masquerading as a legitimate supplier or service provider.
- Before payment is made, the attackers send another email with a request to make the payment to another bank account, which the attackers have control over.
- Reason for change in bank details usually revolve around ‘an audit being made on the account thus payments have been halted’ or ‘the account cannot accept the currency denomination which is listed on the invoice’.
- If successful, the payment is made to the attacker’s account and that is the last they will be heard of. No service will be provided or product delivered.
Case b)
- A profile of the company’s top level executives is built which is later used to manipulate employees most likely those under finance to make a purchase or pay an unwarranted invoice.
- Social engineering is used to convince the employees under finance that they are communicating with the CEO (in reality it is the attackers using a masked email address that appears to be coming from the CEO)
- The ‘CEO’(attackers) then commands the finance to hastily make payments to a certain account or purchase gift cards for the employees.
- The purchased gift cards are to be sent to the CEO via email, thereby giving the attackers the value and resulting in a huge loss for the company.
The above covers the most common scenarios, other scenarios may exist and be employed by the attackers.
How to avoid falling victim
Successful BEC is a costly affair to the company and may result in a huge loss. The good news however, is that there are a few measures that can be taken to reduce chances of falling victim.
- Proper employee training on how to recognise phishing and impersonation/spoofed emails.
- Use of software that determines spam messages and either blocks or remove them from employees inbox server side.
- Setting up a proper company wide email authentication policy including DMARC and SPF so as to determine spoofed emails pretending to come from the company’s MX servers.
While the above steps might not be sufficient to completely eradicate this menace, following them might prove valuable when a BEC is attempted on your company and employees.