BEC scams: What you need to know

Ransomware attacks hitting businesses and institutions might be the latest trend, but they are just one of the threats these organizations have to protect themselves against.

Another prominent one is the Business Email Compromise (BEC) scam.

BEC scammers can target anybody, but have shown a particular predilection for businesses working with foreign partners, as they regularly perform wire transfer payments, often of very large sums.

They overwhelmingly target businesses based in the USA, the UK, and Australia, although companies in other countries are also hit occasionally (e.g. Belgian bank Crelan and Austrian airplane systems manufacturer FACC).

Businesses that fit these criteria would to well to teach their employees about the danger and how to avoid it, especially the employees from companies’ finance department.

In over 40 percent of the cases, it’s the company CFO who will receive the fake email urging for the transfer of funds. Finance directors and controllers are also often targeted:

Recipients of BEC scam emails

In a variation of the BEC scam, which surged earlier this year and saw attackers go after employee payroll information, the newly hired CFO of the security awareness training company KnowBe4 foiled the attack by identifying a BEC email for what it was.

The request, which was made to look like it was coming from the company’s CEO, was initially sent to the firm’s financial controller, but he or she didn’t have access to the payroll info and forwarded the request to the CFO.

According to Trend Micro researchers, employees should be particularly wary of emails (seemingly or actually) sent by the company’s CEO, President, or Managing Director, asking for an urgent wire transfer.

The attackers are betting on the assumption that requests by those at the top of the company’s food chain will be complied with without question, even if they seem “off.”

The subjects of these emails are prevalently simple and vague, at times composed only of one word, such as “Transfer,” “Request,” “Urgent,” or “Request For {day} {month}, {year}.”

They can come from the CEO’s real email account, which was compromised with the help of keyloggers or backdoors, or can be email accounts made to look like the CEO’s.

BEC scammers use widely available tools to prepare for and perform the attacks:
Tools used in BEC scams

So far, BEC scammers have made off with over $2.3 billion from over 17,000 organizations around the world – and that’s as far as we know. There are likely victims who never notified the authorities of such a theft, thinking perhaps that the trust in their company might take a hit they could never recover from.

The huge returns this type of scam offers make it unlikely that they will cease any time soon.

Companies should invest in employee awareness trainings, but also implement things like verifying any changes in vendor payment location by using a secondary sign-off by company personnel, and verifying suspicious requests through means other than email (and never use the contact information provided in the email).