Business email compromise (BEC) may not be the most prevalent form of cybercrime, but it is one of the costliest. Over the last few years, BEC attacks have seen the greatest losses out of any form of cybercrime, and BEC attacks have been increasing. According to the Federal Bureau of Investigation (FBI), between July 2019 and December 2021, losses to BEC attacks increased by 65%, and between June 2016 and July 2019 there were 241,206 complaints about BEC attacks and $43,312,749,946 was lost to the scams. In 2022, there were almost 22,000 victims of BEC attacks and adjusted losses to these scams were more than $2.7 billion.
In a typical BEC scam, a criminal sends an email message to a targeted individual that appears to have come from a known source making a legitimate request. Commonly, a company that the victim regularly deals with sends an invoice with an updated bank account or mailing address. A scam may be conducted where the victim is asked to purchase gift cards and email the serial numbers. Scams often target homebuyers, where the message appears to come from the title company with instructions on how to wire the payment. An executive may be impersonated and the tax information of all employees may be requested. There are many variations of these scams, and they often result in thousands, hundreds of thousands, or even millions of dollars in losses.
BEC scammers often spoof an email account or a website, or they may compromise a legitimate email account through a phishing or spear phishing email. With access to email accounts, a scammer can search the accounts to find out more about the company and gain the information they need to conduct realistic scams. Malware may be sent via email that gives the attacker access to email accounts, which allows them to hijack message threads.
One of the most common types of BEC attacks involves the impersonation of an individual or company and a request to send fraudulent wire payments to attacker-controlled bank accounts. Historically, these scams have involved compromised vendor email accounts and a request to change bank account information for upcoming payments for goods and services. In its latest Internet Crime Report, the FBI said BEC scammers are increasingly targeting investment accounts, and utilizing custodial accounts held at financial institutions for cryptocurrency exchanges or requesting victims send funds directly to cryptocurrency platforms.
In the past, scammers have relied on their spoofing tactics but the scam fails if the targeted individual verifies the legitimacy of the request by phone. However, it is now becoming increasingly common for scammers to spoof legitimate business phone numbers and use these to confirm fraudulent banking details with victims. There have been many cases where the victims report they have called a title company or realtor using a known phone number, only to find out later that the phone number has been spoofed.
Defending against BEC attacks requires a combination of measures. First, since these attacks often start with a phishing email, a spam filtering service is essential. A spam filter will block the emails that allow credentials to be stolen and email accounts compromised. Spam filters can also detect and block spoofing and are the primary defense against these attacks. TitanHQ has developed SpamTitan Email Security to help businesses defend against BEC attacks, phishing, and other email-based attacks.
Unfortunately, email filtering alone is not sufficient. A spam filter will block the majority of email threats but additional measures need to be implemented. The key to defending against BEC attacks is defense-in-depth. These attacks target human weaknesses, so it is important to train the workforce to be aware of these scams and the changing tactics of BEC scammers. Employees need to be taught the red flags they need to look for in emails and the security best practices that can thwart these scams.
TitanHQ offers the SafeTitan security awareness platform to businesses which can be used to train employees to be more vigilant and tell them what they need to look for. The platform can be used to teach security best practices, such as carefully examining the email address, URL, and spelling used in any correspondence, and the importance of not clicking on anything in an unsolicited email or text message that asks them to update or verify account information.
The increase in spoofing means it is now essential to implement two-factor or multi-factor authentication, to add an extra level of security to protect accounts from unauthorized access. It is also vital to implement policies that require requests to be independently verified using confirmed contact numbers, not those provided via email.
Adopting such a defense-in-depth approach will help you protect against these financially damaging scams. Contact TitanHQ today to find out more about how you can cost-effectively improve email security and train your workforce.