Business email compromise schemes are sneaky. By taking advantage of some social engineering techniques and some cyber criminal activity, hackers can send emails to employees that look like they're coming from the C-suite.
But look a little more closely: That isn't your boss, and you probably shouldn't put money in those offshore accounts.
What's the deal?
A BEC scheme begins with hackers gaining access to a corporate entity's email account via a diverse array of methods, including keylogger tools or phishing methods, according to Trend Micro researchers. Often, companies targeted by these kinds of attacks have recently undergone a change in leadership, so there may be some level of confusion as to exactly who comprises the C-suite of these organizations.
Once the hacker has a way in, emails can be sent out to the employees from that executive's address. There are three possible paths for the scam to take from here:
- The hacker asks for the employee to send money to an offshore account. This is usually couched as an "alternate" account for an established partner that the employee would already recognize.
- The hacker poses as someone in the C-suite or another authoritative figure and says that there is some sort of emergency that requires the employee to wire company funds to another account.
- This is where the hacker takes control of an email account and then sends messages – essentially fraudulent invoices – to clients requesting they send money.
If your company falls victim to any one of these versions of the BEC scam, hackers could abscond with millions.
Why do it?
What motivates hackers to orchestrate this kind of scam against unsuspecting companies? Money, of course. Business email compromise schemes are extremely profitable. In fact, according to the Federal Bureau of Investigation, BEC schemes have netted nearly $3.1 billion, with victims in all 50 states and 100 countries. The epidemic continues to expand, with a 1,300 percent increase in exposed losses since January 2015. In addition, law enforcement received reports from over 17,000 individuals between October 2013 to February 2016.
According to Trend Micro researchers, the CFO is the person most likely to be targeted by BEC scams. This makes sense; who else are you going to go to when you want to steal corporate-controlled money? It's also more likely that employees of lower rank would carry out the hacker's wishes if it looks like they're coming from someone near the top. According to the Deccan Chronicle, 40 percent of BEC scams are carried out against small and medium-sized businesses.
It may seem like hackers have won the day with this kind of scheme. Some questions remain, however: How do you tell when you've been targeted by a BEC scam? How do you defend your company against situations like this?
Educate, educate, educate
One thing is clear: Training and education are two of the most important barriers between hackers and the money they are so desperately trying to get out of your company. Making sure employees know the circumstances under which the C-suite will inquire about offshore accounts and keeping them in the loop about cyber security strategies is the first line of defense.
Entrepreneur contributor Eric Basu noted that it's critical for businesses to avoid scams in order to ensure best cyber security practices. By educating employees on what a scam email looks like and telling them not to click on any fraudulent links or attachments in these messages, you can give them the tools to prevent cyber crime being committed against your office.
"Spell out what information is and is not acceptable to divulge over the phone, in an email, or in-person to those of unfamiliar status within the organization and outside the company," Basu wrote.
Something a little stronger required
However, there may come a time when training isn't enough. Employees are only human, and it's completely possible that they might fall victim to these kinds of scams. When it comes to protecting your company and the money you've worked so hard to earn, you shouldn't leave it to chance: Investing in the right cyber security solutions is critical.
"Because of the duplicitous and insidious nature of BECs, simple best practices or security solutions are not enough to effectively defend against them," Trend Micro researchers wrote. "BEC scams highlight how employees are the primary and final line of defense when it comes down to protecting an organization's valued assets. Security awareness and solutions that can go beyond the traditional email threats create the barrier between company response and a thousand dollar wire transfer."
BEC schemes are responsible for huge financial losses, and corporate employees are the ones falling for them. Even if an email looks like it was sent from the C-suite, you should make sure it's not part of this scam.