Business Email Compromise (BEC) is a form of cybercrime that uses email fraud to deceive organizations. While the name indicates it is targeting only businesses, every domain owner can be affected. In a common BEC scam, criminals impersonate a company’s vendor and send a believable, yet fake, invoice in order to misdirect transfer of funds.
Because of the accessibility of email, we’ve seen increased abuse that has become more sophisticated over the years. Business email compromise (BEC) attacks cost organizations an estimated $1.77 billion in losses in 2019 for the US alone, reports the FBI, which received a total of 23,775 complaints related to this threat. This domain abuse shows no signs of slowing and has caused a loss of over $26 billion across the globe and is expected to rise steadily as people are increasingly working remotely during the pandemic.
Shifting BEC Landscape
While the first criminal intentions were to attack end users who would be lured to transfer funds to different accounts (Paypal, banks, etc.), we now see a shift to sectors where larger amounts of money are being transferred illegitimately. We’re also seeing a BEC deviation aimed at compromising personally identifiable information such as tax forms, social security numbers and account details; often, the targets of these BEC attempts are human resources and payroll departments.
Though there are a variety of BEC deception strategies that involve fraud, intellectual property theft, espionage, sabotage and ransomware, all of them represent value or in one way or another that can be reduced to one common outcome: cold, hard cash.
As a domain owner, the first risk to consider is the abuse of your domain(s), the public-facing asset used to communicate within the organization and to external stakeholders like prospective customers, current customers and vendors. The risk of the abuse of the organizational domain is extraordinarily high, but it is also an easy problem to solve.
DMARC, an open internet standard and industry best practice, combats domain spoofing, allowing organizations to take control of their online presence and prevent band erosion caused by a data breach. As DMARC adoption across the email ecosystem continues to accelerate, the vital email communication channel and the internet as a whole will become safer.
As an end user, here are some ways to protect yourself from BEC and phishing exploits:
- Never give login credentials, account numbers or personally identifiable information in response to any emails.
- Be careful with what information you share on social media. You can inadvertently provide criminals with information they need to guess your password, answer your security questions or create a socially engineered hoax.
- Don’t click on links or open attachments in an unsolicited email or text message asking you to update or verify account information. Instead, look up the company’s phone number (don’t use the one in the questionable email) and call the company to ask if the request is legitimate.
- Closely examine the email address, URL, spelling and grammar. Scammers use slight differences to trick your eye and gain your trust.
- Set up two-factor or multi-factor authentication.
- Verify payment and purchase requests in real-time to ensure it is legitimate. You should also verify any change in account number or payment procedures with the person making the request.
- Be especially aware if the request is urgent, time sensitive or plays to your emotions. Those are age-old deception techniques.