Business Email Compromise Attacks Explained

Business email compromise (BEC) attacks are increasing at a staggering rate. These social engineering attacks are cleverly disguised and can fool even the best of them. So, what exactly is a BEC attack and how can you protect your company from falling victim?

What Is a BEC Attack?

This versatile attack, also known as a CEO fraud scheme, works when an attacker poses as a legitimate employee and requests money or data either from an executive or as an executive. As the email appears to be from a legitimate source, the request is often granted and money is transferred, or data is sent, in response to the email.

Why Do These Attacks Work?

Although these attacks sound too simple to work, they’ve become very successful. The Federal Bureau of Investigation (FBI) has reported that BEC attacks have increased an astounding 1300% since January 2015, costing more than 20,000 companies more than $3 billion.

According to Krebs on Security, “On the surface, business email compromise scams may seem unsophisticated relative to moneymaking schemes that involve complex malicious software, such as Dyre and ZeuS. But in many ways, the BEC attack is more versatile and adept at sidestepping basic security strategies used by banks and their customers to minimize risks associated with account takeovers. In traditional phishing scams, the attackers interact with the victim’s bank directly, but in the BEC scam the crooks trick the victim into doing that for them.”

What Can You Do to Protect Your Company?

The FBI and industry experts recommend you take the following precautions to protect your company from BEC attacks:

  • Invest in training, training, and more training—social engineering attacks prey on your staff, so teaching them what to look for, and how to be vigilant, is your first line of defense.
  • Implement email authentication that catches emails appearing to be from your domain but originate from outside of your company.
  • Establish security protocols, such as a good old-fashioned phone call, to verify requests that meet certain conditions (e.g., requesting money transfer over a certain amount or asking for personally identifiable information).

Invest in Your First Line of Defense

As with all social engineering attacks, BEC attacks prey on the human factor to gain access to your assets. As such, training and penetration testing are your first and best line of defense. Let Security Pursuit see how far they can make it past your security controls, including your staff. You can then turn this data into a training exercise that helps ensure your staff members are diligent and vigilant about potential social engineering attacks.