- Get link
- X
- Other Apps
Business Email Compromise or BEC is the much more sophisticated version of the traditional “Nigeria Scam”. According to the FBI, U.S. companies lost $ 1.7 billion to Business Email Compromise in 2019. However, that number only includes the cases that have been reported to the FBI - the actual number is likely higher.
Although a significant proportion of the losses can be recovered, 21 percent of the victims lose everything.
The hackers used to focus on large corporations, but now they regularly target SMEs, which are far less well prepared for attacks, both technologically and financially. Large corporations have an arsenal of weapons to respond to Business Email Compromise threats and repair the damage. SMEs, on the other hand, especially the smaller ones, cannot afford this luxury.
Before we dive into the Business Email Compromise threats facing SMBs, let's look at some examples of high-profile attacks targeting large companies.
Mattel's $ 3 million loss to BEC
In 2015, Mattel lost $ 3 million to a Business Email Compromise when a hacker took advantage of a change in staff. The hacker, posing as the new CEO, emailed a Mattel chief financial officer asking for a referral to a provider in China. Mattel's growing business in China made the transfer seem legitimate, and since the request came from the new CEO, the executive didn't hesitate to execute.
One report found that before the attack, the hacker did his homework by scouring social media and other sources to find an executive with authority to conduct financial transactions. Fortunately, the transfer took place on a Chinese holiday, so Mattel had time to report the attack and prevent the funds from reaching the hacker.
Nikkea's $ 29 million loss in a vendor compromise attack
In 2019, a US employee of the Japanese media company Nikkea transferred $ 29 million to a hacker posing as a Nikkea provider. This new type of Business Email Compromise is known as Vendor Email Compromise, in which a vendor's email address is hacked and then used for emails to customers and clients. If a hacker uses a cracked e-mail address, there is no reason for the victim to react suspiciously to the request for payment.
The remarkable thing about the examples given above is that it is always about the diversion of large sums of money. In other words, it is very unlikely that any of the above transactions will go undetected for long. This is precisely why the FBI has a good solution rate: by reporting quickly, you can react quickly and the damage can be repaired.
To cope with the short reaction time of the authorities, hackers attack smaller targets - SMEs - and demand smaller sums of money in installments. This makes the transactions more likely to go undetected for an extended period of time, giving the hacker time to clean up accounts and move on to the next target.
Below are three examples of the types of Business Email Compromise scams that SMBs should be wary of.
Transfers
The most popular form of wire transfer fraud is commonly referred to as CEO fraud. Here a hacker forges a manager's email address and asks an employee to make a transfer. The hacker could ask an employee to pay a vendor, make a down payment on real estate, or make a large purchase.
Although this type of transfer fraud is still widespread, attacks on SMEs typically require small amounts of money. This increases the chances of a hacker's success for two reasons: First, it does not trigger any alarms that could lead to the victim questioning the requestor notifying someone. Second, the transfer of a small amount of money can go unnoticed for a long period of time.
Transfer requests from hacked internal accounts are a growing threat. Hackers gain access to platforms such as Microsoft 365 via phishing emails and then send emails to employees with hacked accounts. An example of this is an attack on the Catholic parish of St. Ambrose in Brunswick (USA) in 2019. Based on a hacked Microsoft 365 account, the hacker sent an email in which he posed as a provider - as a construction company - and requested payment for restoration work. The employee transferred $ 1.7 million to the hacker, who quickly transferred the money to another account.
Tax form fraud
Business Email Compromise isn't always about money. Hackers are also interested in sensitive data that they can use to carry out attacks later. The W-2, a U.S. payroll tax form, is a sought-after document that contains a variety of personal information that hackers can use to either create accounts or file a fraudulent tax return and get a refund.
To get hold of W-2s and other tax forms, hackers impersonate employees and send spear-phishing emails to HR and accounting staff requesting their W-2s or other tax forms. This is a particularly successful scam during the tax season: Not only are the human resources and accounting departments busy and likely distracted, but they are used to receiving a plethora of tax questions from employees, which doesn't make the request seem unusual.
Direct deposit/diversion of salary payments fraud
According to the FBI, the fastest growing form of Business Email Compromise, the diversion of salary payments or direct deposit fraud, involves the diversion of paychecks to hacker accounts. In most cases, a hacker posing as an employee will send an email to HR asking them to change their account number in time for the next paycheck.
The exchange is short and sweet, even if it contains a little pretexting and maybe even several emails from time to time, which should make it easier for the victim to comply with the request. In some cases, the hackers pose as high-level employees; B. as executives to put pressure on the employees of the HR department. According to the FBI, in most cases of salary diversion, the victim's salary payment is transferred to a prepaid card account.
Preventing Business Email Compromise
Unlike phishing emails, spear phishing emails are usually just text - there are no links to be scanned or other cues that an email filter can detect.
Therefore, users should be trained to recognize the signs of spear phishing, from pretexting and social engineering to asking for large sums of money. If a user replies to a spear-phishing email, you must immediately retrain them to correct the behavior.
Hackers nowadays do extensive research before launching their attacks, and so even with well-trained employees, they manage to make sure that they don't smell a fuse and even think unusual requests are normal. To resolve this issue, you should have processes for confirming requests for financial transactions and transfers:
- Establish written procedures for processing financial transactions, including recalls or a personal confirmation.
- Contact the provider directly to confirm financial transaction email inquiries.
- Limit the number of employees authorized to conduct financial transactions.
If your current anti-spear phishing solution is leaking threats, you should also consider a solution like Protegent360's antivirus software that detects more than spoofing and looks for malicious behavior, including urgent and financial inquiries.
Comments
Post a Comment