Business email compromise (BEC) scams have surpassed ransomware as the greatest cybersecurity threat facing organizations today — and it’s not even a close call. According to data from the FBI’s Internet Crime Complaint Center (IC3), BEC attacks were eight times more common than ransomware attacks in 2022, causing almost 80 times more financial damage.
The IC3 received 21,832 BEC complaints last year with adjusted losses of more than $2.7 billion, compared to 2,385 ransomware complaints with losses of $34.4 million. However, authorities believe the actual number of both types of incidents and their aggregate losses are likely much higher because such attacks often go unreported due to fears of reputation damage and lost business.
A major reason for the rise of BEC attacks is that they require little to no technical skill — they simply exploit a victim’s trust. In most attacks, malicious actors use spoofed emails to impersonate trusted executives, employees, partners or suppliers to trick victims into sending money or divulging confidential information. Authorities say BEC attacks increased dramatically when organizations shifted to remote operations and became accustomed to conducting a good deal of legitimate business by email.
Scam Tactics Evolving
With more organizations using filtering solutions to block malicious emails, scammers have begun modifying their tactics. Criminals have recently begun to target victims using spoofed phone numbers, text messages and virtual meeting platforms. The FBI also notes that threat actors increasingly get victims to send funds directly to cryptocurrency exchanges where funds can be quickly dispersed.
According to the FBI, there are five main types of BEC scams:
- Fake invoices. Fraudsters use spoofed emails, faxes or even phone calls to request invoice payments or fund transfers to a fraudulent account they control.
- Account compromise. Attackers use a hacked email account to request invoice payments, often from multiple vendors listed in the victim’s email contacts.
- Executive fraud. Scammers posing as a high-level executive ask an employee to transfer funds or forward sensitive information. Fraudsters count on the fact that most people want to do whatever they can to earn the approval of the boss.
- Attorney impersonation. Attackers impersonate an attorney claiming to be handling a critical and confidential matter that requires a quick transfer of funds or information.
- Data theft. Attackers contact employees — frequently in payroll or human resources — in an effort to steal credentials and other sensitive information that can be used for additional attacks.
BEC Prevention Tips
- Enable two-factor authentication (2FA) or multifactor authentication (MFA) on all email accounts and other important accounts to create an additional layer of security.
- Use the DMARC email authentication protocol to identify and reject spoofed emails.
- Use email filters to block incoming emails that contain suspicious attachments or links and to scan outgoing email to prevent the transmission of sensitive information.
- Teach employees to recognize BEC scams and to be suspicious of emails that have unusual or unexpected requests.
- Change computer settings to display full email extensions and encourage employees to make sure they match the business/individual they claim to be from.
- Before sending any money, verify payment requests through a separate channel, such as a phone call or face-to-face communication.
- Monitor financial accounts for irregularities such as missing deposits and unexpected withdrawals or transfers.
- Keep your software, including email clients and web browsers, up to date with the latest security patches and updates.
- Contact financial institutions immediately if you believe you are the victim of wire-transfer fraud. Report the incident to the local FBI office, which may be able to freeze the funds.
Verteks is here to help you deploy security controls that reduce the risk of BEC attacks. We can also help you implement interactive security awareness training for your users. Contact us to schedule a confidential consultation.
