If the developments from 2016 are any indication, stealing credentials is not the name of the game anymore—stealing money is. Cybercriminals are now going directly for cold cash by tricking unwitting employees into funneling the money directly into their accounts.
Business Email Compromise (BEC) is a social engineering scam that has been reported in 131 countries and resulted in at least $5.3 billion stolen from 2013 to 2016, with an average exposed loss of $132,000 per incident.
How do BEC scams work? Savvy BEC scammers start by developing familiarity with the processes of their targeted company. Armed with the knowledge of the inner workings of an organization, they can select employees to target with carefully crafted emails.
An employee, usually someone related to finance (such as Chief Financial Officer, finance manager, or accountant), receives a well-worded email requesting a wire transfer that appears to come from the Chief Executive Officer (CEO) or president. The email is structured such that it is likely to receive less scrutiny due to how legitimate it looks. The employee, convinced of the seemingly legitimate request, unwittingly transfers a hefty amount of money to an account the fraudster controls. And that’s just one scenario among five known BEC tactics.
Since BEC emails are not mass-mailed and typically do not contain malicious links or attachments, the fraudulent requests are harder to detect via traditional security solutions.
Based on past incidents, a successful BEC operation isn't tough to pull off. Leoni AG, Europe’s leading wire and cable manufacturer and the fourth-largest in the world, was swindled out of €40 million (approximately $47.2 million) after a fraudster successfully tricked the CFO into transferring funds to a foreign account. The incident reportedly happened after the CFO of one of the company’s factories in Romania received an email that looked like it came from one of the manufacturer’s executives in Germany.
There have been many other cases of successful BEC schemes, all of which involved huge losses. The rise of Business Email Compromise cases around the world is a clear indication of how lucrative this cybercriminal business model can be, and organizations of all sizes must take immediate measures to protect themselves. Defending against BEC doesn't require ramping up for a technical arms race. Security comes in the form of people, too. Appropriate security solutions paired with proper employee education can save an organization from a potential million-dollar loss.
To learn more about BEC and how to build up security defenses on par with this email-borne deception, read our primer Enterprise Network Protection against Cyberattacks Primer: Business Email Compromise.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.