BEC Attacks: What Are They and How Can You Prevent Them?

BEC Attacks: What Are They and How Can You Prevent Them?

Today's organizations face a terrifying array of threats: from natural disasters to disgruntled employees, from data breaches to downed servers, to invididual scams like the phone number port out scam we covered in a previous article. These problems occur quickly and often, without warning. Luckily, when it comes to cybercriminals, there's a lot you can do to ward off an attack. But first, of course, you need to be aware of the various dangers you might face. That's why we dedicated so much of our blog to educating our clients about them - and today is no different.

In this post, we'll discuss BEC attacks. We'll help you understand what BEC attacks are, educate you on the potential ways in which you might be compromised, and explain how you and your employees can reduce the risk that you'll fall victim to a BEC attack in the future.

What Is a BEC Attack?

First though, let's tackle the most obvious question: What is a BEC attack? BEC stands for Business Email Compromise. According to SonicWall, "BEC attacks do not contain any malware and can easily bypass traditional email security solutions. For cybercriminals, there is no need to invest in highly sophisticated and evasive malware. Instead, they engage in extensive social engineering activities to gain information on their potential targets and craft personalized messages."

What Is Social Engineering?

Now you're probably wondering, "What's social engineering?" In the context of information technology, social engineering refers to a malicious attempt to manipulate you into sharing confidential information or sending money to counterfeit account. By now, a certain very well-known BEC attack has probably come to mind: a Nigerian prince emails you, explaining how he just knows he can trust you to protect his family's vast fortune, and asking if you could simply share your bank account information, he'll deposit millions of dollars into it, and, what the heck, he throw you a cool million as thanks for helping him out.

While the vast majority of us know enough (at least by now) not to hand over our bank details, the unfortunate truth is, just like all the other types of cybercriminals, those who use BEC attacks have also gotten smarter - much smarter. And their cons are working in a big way to specifically target businesses.

BEC Attack Facts and Stats

Law enforcement agencies have reported that, in the last five years, there have been over 40,000 US victims of EAC and BEC attacks (EAC stands for "email-account compromise," referring to all non-business email compromises, like the Nigerian prince scam), who collectively have had nearly $3 billion stolen from them. Worldwide, the numbers are even grimmer, with nearly 80,000 victims losing $12.5 billion dollars. Yikes.

There are various, highly sophisticated tricks used to get around the defenses of increasingly savvy company employees. Let's review them, so you know how to spot them going forward. A BEC attempt may use one or more of several techniques, including spoofing, display name deception, and even email account takeover, to get past your defenses.

A BEC Attack Example

Instead of the ol' Nigerian prince con, online crooks are crafting emails that look extremely similar to the real emails you receive from someone within your company, or an outside vendor or customer. They often create a sense of urgency in the recipient.

For example, let's say an email that looks like it's coming from your CEO tells you to drop everything and immediately pay a supplier who's overdue in receiving a crucial payment for $500,000. Not only does he have the same display name as your boss, he's writing you from an email address that looks real because it's so similar to your company's real email address suffix (say, [email protected] instead of [email protected]). He demands that you wire the money to XYZ Industries right away. You know XYZ Industries is a regular supplier, so you think, "No problem." You use the information your CEO has provided you to wire the money to www.xyzindustriess.com. It doesn't occur to you that the URL is off by one letter, because you know the matter is urgent and you want to please your boss.

And just like that, your company has been swindled out of half a million dollars - money that will be nearly impossible to trace nor get back. Unfortunately, technology and social media have made it easy for crooks to look up all your company's information, including your CEO's name, the names of your suppliers, and more. With a few minutes of research as well as a little help from social engineering, you've been had.

Preventing BEC Attacks

The best way to thwart BEC attacks? Question everything, especially when things are demanded urgently. The best thing to do is to take a moment to pick up the phone and call your CEO to confirm what he or she needs. You should also double-check the email addresses and URLs in the emails you receive, though be aware that in some cases, crooks might hack into your CEO's actual email account to send the wire transfer email. Worried that you'll upset your boss by wasting time ensuring the request from your CEO is real? Simply explain that you're trying to ward off a BEC attack in order to protect the company, and you will likely receive thanks and appreciation for your coolheaded quick thinking. If you can't reach your CEO, speak to your immediate manager about your concerns instead.

The FBI has developed a tip sheet for warding off BEC attacks, which provides helpful, at-a-glance prevention information. ICS also has a wide range of products and services that can help your organization avoid falling victim to such an attack:

• Email Security
• Security Awareness Training
• Proactive IT Security
• Email and IT Acceptable-Use Policy Creation
• Helpdesk Support
• Data Leakage Prevention
• Managed IT Security