Recent findings from the Financial Crimes Enforcement Network, a bureau of the US Department of the Treasury, found that Business Email Compromise (BEC) scams cost organizations over $300 million each month in 2018. BEC scams are highly researched, sophisticated phishing attacks. They often target specific employees and the goal of these attacks are to steal finances or important data.

Any organization can be a target for a BEC attack. Recently, the City of Griffin, Georgia fell victim to a BEC attack after receiving an email from what looked to be a vendor asking for an account change. They ended up transferring over $800,000 to a fraudulent account.

Source: Statista

How BEC Scams Affect Everyone in Your Organization

Finance Department  

Hackers will target your financial department with fake invoices that appear to be from a business partner or with requests to change the bank account details for direct deposits. These attacks often go undetected until the legitimate business partner requests their payment. These kinds of attacks are very specific as they require prior knowledge of an organization’s business partners/vendors/suppliers and their type of partnership. In the case of the City of Griffin attack mentioned earlier, attackers even knew the specific amounts required for invoices.

CEOs or Executives

Hackers often impersonate CEOs or executives to engage in CEO fraud. They will often email employees and request wire transfers to fraudulent accounts. These emails often sound urgent and are sent near end of day to pressure employees into responding quickly.  

Human Resources (HR) Department

Data theft a type of BEC attack that seeks to gain access to personally identifiable information. Since HR deals with sensitive information, they will often be targets of this kind of attack. If a hacker has access to the HR account, they will also have access to information on all employees including executives. They can also use the compromised account to directly request information from employees. Stealing personally identifiable information is valuable for a hacker because they can use it as a starting point to further compromise an organization.

Legal Representation

This BEC scam involves impersonation of a lawyer or legal firm that supposedly represents the company or a business partner. Attackers claim to be handling sensitive information regarding the organization and will request company bank statements or other confidential documents. These documents provide hackers with information about the financial workings of the organization, which they can use for further attacks. Attackers behind this scam will tell employees to be discreet to avoid leaks or to fulfill sensitive business requirements.  

Employee Accounts

Account compromise can happen to any of your employees. This occurs when hackers gain unauthorized access to an employee’s account through a phishing scam or password spray attacks. Once hackers manage to compromise an account, they can move around an organization’s network undetected. As a result, they can compromise an organization further by sending malware to coworkers/clients/business partners.

Protect Against BEC Scams

The best way to protect against BEC attacks is to have a strong cybersecurity culture in your organization. This includes educating staff on cyber threats and encouraging them to speak up if they receive a suspicious looking email in their inbox. Protecting email inboxes with an advanced email security solution like Secure IT Mail will also help block malicious emails.