Business Email Compromise Scams – Here to Stay

By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author

Business email compromise (BEC) scams remain one of the most widely used attack vectors among cybercriminals to date. In fact, cybercriminals are finding so much success in exploiting human vulnerabilities through BEC scams that their frequencies have been dramatically increasing.

What is a BEC scam?
In a BEC scam, the attacker gains access to an executive or high-level employee’s email account and exploits it, using that individual’s identity to trick employees, customers, or partners into sending them money. In some cases, the attacker does not gain access to the corporate or high-level employee account but instead creates an email address that is very similar to the legitimate one, making it easy to overlook. These requests often contain urgent requests with the intention of rushing the target to act quickly, leaving them with less time to think through the transaction.

On the rise
According to the latest Mimecast Email Security Risk Assessment (ESRA), which analyzed more than 142 million emails that had successfully passed through potential customer’s incumbent email systems, BEC scams saw an 80 percent increase quarter-on-quarter.

The FBI’s Internet Crime Complaint Center (IC3) recently reported a 136% increase in actual and attempted monetary losses on a global scale between December 2016 and May 2018 due to BEC scams.

It is clear that monetary losses from BEC scams are becoming astronomical. According to The Rise and Rise of Business Email Compromise Scams published by Duo Security, BEC scams are growing at a “terrific rate with losses in the United States alone of nearly $3 billion in the last 18 months.

Since BEC scams utilize human vulnerabilities, they are much more difficult to detect in an email filter than various other forms of malicious emails that may contain malware attachments.

What can you do?
While technologies do exist that can help cut down on these emails successfully making it to the intended party, BEC scams cannot be carried out successfully without participation from the target. Since BEC scams rely on human vulnerabilities, strengthening employees’ security awareness is crucial to helping catch malicious attempts that technology may have missed.

Exercising caution when reviewing a request by an executive or upper-level employee is extremely important as well. BEC scams often come in the form of a financial request through a wire transfer, payment for a fake invoice, or international payment request. If the request seems urgent or unusual, contact the sender directly prior to acting upon the request.

Employees should be trained on cybersecurity and know how to spot a phishing email. Switchfast Technologies found that 91% of cybersecurity attacks originate with a phishing email, outlining the overwhelming need for employees to be trained and tested on how to spot these attempts.

Despite security training, accidents happen. All it takes is one employee to fall victim to a BEC scam to put their entire organization at risk. Organizations should have policies and procedures in place in the event an incident were to occur and ensure all employees know who to report to if they believe a suspected incident has occurred.

This article was originally published on HIPAA Secure Now! and is republished here with permission. HIPAA Secure Now offers annual online subscriptions to help covered entities and business associates keep up with compliance. Learn more here.