Understanding Business Email Compromise (BEC) Scams

SecurityThe Kotman Difference
Written By Jon Kotman

Written By: Jon Kotman

a computer with a box showing people subscribed to a service

In today's digital age, the threat landscape is ever-evolving, and businesses are facing sophisticated cyber-attacks. One such menace that has been making headlines is the Business Email Compromise (BEC) scam. While many believe that only large corporations are susceptible, the reality is starkly different. From small businesses to Managed Service Providers (MSPs), everyone is in the crosshairs of these cybercriminals. This article delves deep into the world of BEC scams, shedding light on why everyone is a potential target and the meticulous steps attackers undertake to dupe their victims

What is a BEC Scam?

A Business Email Compromise, commonly referred to as a BEC scam, is a sophisticated type of cyber-attack where attackers impersonate executives or high-ranking officials within an organization, typically through a compromised or spoofed email account. The goal of these scams is often financial gain, but they can also aim to extract sensitive information. Unlike traditional phishing attacks that cast a wide net hoping someone will bite, BEC scams are highly targeted.

They rely heavily on social engineering tactics, where the attacker studies the organization and its employees, understanding hierarchies, roles, and the nature of relationships. This preparation allows them to craft convincing emails that appear to come from trusted sources, urging the recipient to take actions such as transferring funds, sharing confidential data, or granting access to systems. The deceptive nature of BEC scams, combined with their personalized approach, makes them particularly dangerous and challenging to detect.

Everyone is a Target

In the realm of cyber threats, there's a common misconception that only large corporations or high-profile entities are the primary targets for attackers. This belief stems from the notion that bigger organizations equate to bigger payoffs. However, when it comes to BEC scams, this couldn't be further from the truth.

Firstly, cybercriminals are opportunists. While a large corporation might offer a potentially larger financial gain, they also have more robust security measures in place, making them harder to penetrate. In contrast, small and medium-sized businesses, nonprofits, and even individuals often lack the same level of cybersecurity infrastructure, making them easier targets. For a cybercriminal, a series of smaller successful attacks can be just as lucrative as one big score.

Moreover, BEC scams thrive on familiarity and trust. Attackers often choose targets based on the ease with which they can gather information about the individual or organization. In today's digital age, where personal and professional details are frequently shared on social media and other online platforms, gathering such information has become relatively straightforward. This means that anyone, regardless of their position or the size of their organization, can become a victim if they have a digital footprint.

Managed Service Providers (MSPs) are especially at risk. Given their role, they often have access to their client's systems and data. An attacker compromising an MSP can potentially gain access to multiple businesses, amplifying the potential damage.

Lastly, the human element plays a significant role. BEC scams exploit human psychology, leveraging emotions like trust, fear, and urgency. No matter how tech-savvy or cautious one might be, under the right circumstances and with the right triggers, anyone can fall prey to these manipulative tactics.

The landscape of BEC scams underscores a critical reality: everyone is a target. It's not just about the size of your bank account or the prominence of your position; it's about the vulnerabilities in our interconnected digital world and the human tendencies that cybercriminals are all too eager to exploit.

The Steps Business Email Compromise Attackers Go Through

The success of a BEC scam hinges on its execution, which is often meticulously planned and executed by cybercriminals. Understanding the steps they undertake can provide invaluable insights into their modus operandi and help in devising countermeasures. Here's a deep dive into the journey of a BEC attacker:

1. Research and Reconnaissance

Before initiating the scam, attackers invest time in gathering information about their target. This phase involves studying the organization's structure, identifying key personnel, and understanding their roles and relationships. Tools for this research can range from the company's own website and press releases to social media platforms where employees might share work-related information. The more they know, the more convincing their impersonation can be.

2. Initial Contact

Once armed with enough information, attackers make their first move. This often involves sending a seemingly innocuous email to test the waters. The aim is to gauge the recipient's responsiveness and perhaps gather more information. These emails are crafted carefully to avoid raising suspicions and might appear as routine business communications.

3. Gaining Trust

Trust is the cornerstone of a successful BEC scam. Once initial contact is established, attackers work on building rapport with their target. This could involve a series of communications over days or even weeks. They might mimic the communication style of the person they're impersonating, use familiar jargon, or reference recent company events to appear genuine.

4. Request for Action

This is the crux of the scam. After establishing trust, the attacker makes their move. This could be a request for a wire transfer, sharing of confidential data, or granting access to certain systems. These requests are often framed with a sense of urgency or confidentiality, pressuring the recipient into acting quickly without double-checking.

5. Covering Tracks

Once the desired action is taken, attackers don't just disappear. They engage in activities to cover their tracks and prolong the time before the scam is detected. This could involve sending follow-up emails providing reasons for any discrepancies or anomalies the victim might notice. They might also delete certain email threads or even divert subsequent emails to ensure they remain undetected for as long as possible.

BEC scams are not just random phishing attempts; they are well-orchestrated operations that exploit both technological vulnerabilities and human psychology. Recognizing the steps involved can be the first line of defense in thwarting these malicious endeavors.

Types of BEC Scams

Business Email Compromise (BEC) scams have rapidly evolved, with cybercriminals employing a variety of tactics to deceive their targets. While the end goal is often financial gain, the methods used to achieve this can differ significantly. Here's a look at some of the most common types of BEC scams:

CEO Fraud:

In this type of scam, attackers impersonate a high-ranking executive, often the CEO or CFO, of an organization. They send emails to employees, typically those in the finance department, requesting urgent wire transfers or sensitive financial information. Given the apparent authority of the sender, employees might act without verifying the legitimacy of the request.

Supplier Swindle:

Here, the attacker poses as a trusted vendor or supplier. They might send fake invoices or request changes to payment details, diverting funds to their own accounts. These scams can be particularly effective if the attacker has knowledge of existing relationships and ongoing projects.

Account Compromise:

In this scenario, an employee's email account is hacked and used to request invoice payments from vendors listed in their email contacts. Since the email comes from a legitimate account, it can be challenging to detect the scam until the fraud is discovered by the affected party.

Attorney Impersonation:

Attackers pose as lawyers or representatives of law firms, claiming to handle confidential or time-sensitive matters. They might pressure an executive or employee to act quickly, leveraging the urgency and sensitivity of legal matters to their advantage.

Data Theft:

While most BEC scams focus on financial gain, some target sensitive data instead. Attackers might impersonate executives to request payroll or personal information from the HR department. This data can then be used for further attacks or sold on the dark web.

Understanding the various types of BEC scams is the first step in building effective defenses. By recognizing the tactics and techniques used by cybercriminals, organizations can better train their employees and implement security measures to counter these threats.

Prevention and Protection Against BEC Scams

In the face of the rising threat of BEC scams, a proactive approach to prevention and protection is paramount. While technology plays a crucial role in safeguarding against these threats, the human element is equally significant, if not more so.

One of the most effective ways to combat BEC scams is through continuous employee training. By keeping staff informed about the latest tactics used by cybercriminals and teaching them to recognize the signs of a scam, organizations can significantly reduce their vulnerability. This training should not be a one-off event but an ongoing process, adapting and evolving with the ever-changing cyber threat landscape. Simulated phishing tests, where employees receive fake phishing emails to see how they respond, can be particularly effective in gauging the effectiveness of training and identifying areas for improvement.

In addition to training, implementing technological safeguards is essential. Multi-Factor Authentication (MFA) has emerged as a potent tool in this regard. By requiring users to provide two or more verification factors to gain access to an account, MFA ensures that even if an attacker obtains a user's credentials, they won't be able to access the account without the additional verification. This simple yet effective measure can thwart a significant number of unauthorized access attempts.

Regular monitoring and IT audits also play a pivotal role in prevention. Continuous monitoring of network traffic and email communications can help in detecting suspicious activities early on, allowing for swift action before any significant damage occurs. IT audits, on the other hand, provide a comprehensive overview of an organization's cybersecurity posture, highlighting potential vulnerabilities and offering recommendations for improvement.

In the end, while BEC scams are sophisticated and ever-evolving, a combination of informed employees and robust technological defenses can create a formidable barrier against these threats. It's about fostering a culture of cybersecurity awareness, where every individual, from the top executive to the newest intern, plays a role in safeguarding the organization.

Huntress: A Beacon of Security Vigilance

Kotman Technology prides itself on partnering with leading security vendors to ensure the utmost protection for its clients. One such esteemed partner is Huntress. On August 7, 2023, Huntress showcased its commitment to security by detecting and thwarting a business email compromise (BEC) scam that could have cost them over $100,000. This incident wasn't identified by a high-tech security tool but rather by the company's ingrained security-centric procedures and vigilant training.

The scam unfolded when Huntress, collaborating with a small business vendor for their field marketing efforts, initiated an ACH payment of approximately $103,000 based on an invoice request. Shortly after, they received an email from the vendor's contact, seemingly genuine, urging them to halt the payment due to suspicious activity in the vendor's bank account. This was followed by another email providing new bank details for the payment.

However, Huntress's security protocols mandate a direct call to confirm any new bank details, even if the request appears legitimate. Upon calling, they discovered that the vendor's contact had not sent any such emails. In fact, her email account had been compromised, and a threat actor was masquerading as her, attempting to divert the payment to their account.

This incident underscores the importance of security awareness and the need for procedures that prioritize verification over convenience. Huntress's proactive approach, rooted in regular security training and a culture of vigilance, not only saved them a significant financial loss but also highlighted the value they bring to partners like Kotman Technology. Their story serves as a testament to the fact that in the realm of cybersecurity, human awareness, combined with the right procedures, can be as powerful as the most advanced technological solutions.

Conclusion

In an era where cyber threats are constantly evolving, the incident at Huntress serves as a poignant reminder of the importance of vigilance and proactive security measures. While technology offers robust defenses, the human element remains a critical line of defense against sophisticated scams. Partnerships with security-conscious vendors like Huntress reinforce Kotman Technology's commitment to safeguarding its clients. As BEC scams and other cyber threats become more prevalent, it's the blend of technology, training, and human intuition that will stand as the bulwark against potential breaches.

Kotman Technology has been delivering comprehensive technology solutions to clients in California and Michigan for nearly two decades. We pride ourselves on being the last technology partner you'll ever need. Contact us today to experience the Kotman Difference.

Jon Kotman
Previous

How to be Ahead of the IT Game Before National Cyber security Awareness Month
Next

How to Develop an Incident Response Plan for Your Business