Quick: Which kind of cyber-attack causes the most financial damage overall? Ransomware, you say? Wrongo! They’re called BEC attacks, and you need to know about them.
Don’t believe it? Just ask the FBI. In 2021, the FBI’s Internet Crime Complaint Center received 19,954 Business Email Compromise reports, with adjusted losses totaling almost $2.4 billion. That’s an average of more than $120,270 per incident. Compare that to ransomware, with just under $13,200 per incident per attack.
Since the FBI began tracking these threats in 2013, tens of billions in financial losses have been recorded. There have been nearly 170,000 incidents in 178 countries in that time.
I’ve never heard of a BEC Attack. What is it?
It stands for Business Email Compromise, and BEC attacks begin with a cybercriminal hacking and spoofing emails. The aim is to impersonate your company’s supervisors, CEO, or vendors. Once they’re in, they request a seemingly legitimate business payment. The email looks authentic and seems to come from a known authority figure, so the employee complies. Typically, the bad actor will ask for money to be wired or checks to be deposited, something like that. However, nowadays BEC scams may not even involve money. Instead, they may be targeting employee’s personal information, income, and tax forms like W-2s, and so on.
Why aren’t these as notorious as, say, ransomware attacks?
During many ransomware attacks, business operations grind to a halt. When a company loses access to customer information, payment systems and critical applications, it’s pretty obvious pretty quick.
But BEC attacks are comparatively silent. Even when these attacks have a huge impact on an organization’s bottom line, operations can often continue as usual. Subsequently, businesses frequently opt to keep these attacks out of the public eye. This is to avoid risking reputation damage and loss of trust.
How BEC Attacks Fly Under the Radar
But what makes BEC attacks so dangerous when compared with other forms of cyberattacks? And why are they harder to stop?
BEC is a specialized type of phishing attack that relies on social engineering. They often use proven pretexting techniques to engineer a quick introduction. Then, they establish a believable scenario in order to manipulate the victim to take a specific action.
These attacks can target employees at any level of an organization. However, they generally start with impersonating an authority figure such as a CEO or a manager.
BEC attacks are among the hardest to detect because the threat signals are subtle. Relying on trickery, the approach is very subtle. And the actual delivery generally doesn’t use easily-detected weaponized URLs or malicious attachments.
In addition, the email content and the delivery mechanism are usually of higher quality. They are often tailored to target specific persons. With little to no apparent sign of a threat, these messages can bypass most email security filters to reach the inbox. And the absence of any sort of alert, such as a contextual warning advising caution, leaves the victim more vulnerable to falling for the scam.
Because so many of these scams are successful, their use has grown dramatically. Today, roughly 80% of companies targeted by BEC attacks each year. There isn’t much you can do to avoid being targeted, either. But there are things you can do to protect your organization.
Like what?
Sure, some BEC attacks involve the use of malware. But as has already been said, many rely on social engineering techniques. And antivirus, spam filters, or email whitelisting are ineffective against this. However, one of the most useful things you can do is to educate employee. You can also deploy internal prevention techniques, especially for frontline staff who are most likely to be recipients of initial phishing attempts. For example, Avoid free web-based e-mail accounts. Establish a company domain name and use it. Create company e-mail accounts in place of free, web-based accounts.
Also, don’t open any email from unknown parties, and definitely don’t click on any links in any such emails. Obviously.
Secure your domain. Domain spoofing uses slight variations of legitimate email addresses to deceive victims. Register domain names similar to yours. Sure, it sounds a little neurotic. But it will protect you against the email spoofing at the heart of successful attacks.
“Forward,” don’t “reply” to business emails. By forwarding the email, the correct email address has to be manually typed in or selected from the address book. Forwarding ensures you use the intended recipient’s correct e-mail address.
And a little common sense…
Always verify before sending money or data. Standard operating procedure should include employees confirming email requests for a wire transfer or confidential information. And confirm face-to-face, or through a phone call using previously known numbers, not phone numbers provided in the email.
Corporate Armor offers many solution that include content filtering specially created identify many types of BEC attacks. Solutions from Palo Alto, Sophos, Avast, Fortinet and more are great options to consider as you build a defensive strategy against this very pervasive, crafty form of cyber-aggression. We would love to answer any questions you ay have, and save you money on your cyber-security needs. Just email us, or call 877-449-0458. Thanks for reading!