Cybercriminals targeting companies often turn to Business Email Compromise (BEC) scams to steal funds, causing billions of dollars in fraud losses over the past few years, according to a Thursday report from Barracuda.
Criminals use BEC attacks to gain access to a business email account and pretend to be the account owner to defraud the company and its employees, customers, or partners, the report noted. Scammers typically target employees with access to company finances or payroll data, and other personally identifiable information (PII).
The report examined 3,000 randomly selected BEC attacks from Barracuda’s Sentinel system. The most common BEC attack involved the hacker trying to trick a recipient to do a wire transfer to a bank account owned by the attacker (47%). Other types of attacks included trying to get a recipient to click a malicious link (40%), establishing rapport with the victim (12%), and stealing PII like W2 forms (1%).
SEE: Incident response policy (Tech Pro Research)
Here’s an example of a recent wire transfer BEC, with the names and addresses redacted:
About 60% of BEC attacks do not involve a malicious link, the report noted. Instead, the attack is a simple plain text email attempting to trick the recipient into performing a wire transfer, or sending sensitive information. These emails are difficult for email security systems to identify as fraudulent, as they are often sent from legitimate email accounts, tailored to the recipient, and do not contain suspicious links, the report found.
The vast majority of the victims who the attacker impersonates are CEOs: About 43% of the impersonated senders were the CEO or founder of the company, according to the report. The recipients of the attacks are often CFOs (17%), finance/HR professionals (17%), C-level executives (10%), CEOs (2%), or others across the company (54%).
The report offers the following recommendations to keep your company safe from BEC attacks:
- Prohibit wire transfers from going out without an in-person conversation or phone call. Even with a phone call, take caution if the only contact information is that included in the potentially fraudulent email.
- Take caution with emails from CEO accounts, as those professionals are most likely to be impersonated. If the CEO makes a request that seems unusual, the user should confirm its legitimacy before taking action.
- Implement a training program to teach employees how to identify a BEC attack.
- Deploy an email protection system to automatically stop spear phishing and cyberfraud attacks that can lead to a successful BEC scam.
The big takeaways for tech leaders:
- Criminals use Business Email Compromise attacks to gain access to a business email account and pretend to be the account owner to defraud the company and its employees, customers, or partners.
- 43% of the impersonated senders in BEC attacks are the CEO or founder of the company, according to Barracuda.