Business Email Compromise is a type of cyber fraud that involves hacking or impersonating a business email account to deceive the company, its employees, customers, or partners into transferring funds or sensitive information to the cybercriminal’s account. Unlike broad phishing campaigns, BEC is characteristically targeted, often involving extensive research on the victim to make the fraudulent communications as convincing as possible.
The origin of BEC can be traced back to the early 2010s with the evolution of traditional phishing scams. As organizations began to improve their email security systems and employees became savvier in recognizing mass phishing attempts, cybercriminals refined their strategies. This led to the development of BEC, a more sophisticated technique that requires a detailed understanding of the business operations, including knowledge about which individuals are involved in financial transactions.
In practical terms, a common scenario involves an attacker who has gained access to a corporate email account or has created a domain that closely resembles the company’s legitimate domain. The criminal might then impersonate a company executive or a trusted vendor and send a fraudulent email to an employee who is responsible for handling financial transactions. The email may request a wire transfer or sensitive information under the guise of urgency or confidentiality. Due to the apparent legitimacy of the request, the targeted individual may comply, resulting in financial loss or a data breach.
While it may seem odd to discuss the 'benefits' of a cybercrime from the perspective of an organization, understanding the ingenuity behind BEC can help businesses bolster their security measures. Recognizing the level of sophistication involved in these scams encourages companies to implement more advanced security protocols, train employees in recognizing and handling phishing attempts, and appreciate the importance of robust verification processes for financial transactions. In essence, the rise of BEC has served as a catalyst for improving cybersecurity practices across the board.
A company can implement multi-factor authentication for email accounts, provide regular training to employees on recognizing BEC schemes, and establish strict verification processes for financial transactions.
If you suspect a BEC incident, immediately contact your financial institution to request a recall of funds. Report the incident to law enforcement agencies and file a complaint with the Internet Crime Complaint Center (IC3) as soon as possible.
Yes, BEC is a global issue affecting businesses worldwide, with scammers often operating across international borders which makes law enforcement more challenging.