Business email compromise (BEC) is one of the most damaging and costly cyber attacks against small businesses. According to the FBI's 2023 Internet Crime Report 2023, BEC attacks cost U.S. businesses $2.9 billion in 2023, making it the second most costly cybercrime after investment fraud ($4.57bn).
BEC attacks nearly doubled in the past year, according to the latest "Data Breach Investigations Report."
In a BEC scam, the attacker pretends to be someone the victim should trust, like a coworker, boss, or supplier. They might ask that person to transfer money, change payroll details, or update banking information, that's why they usually target employees in the financial department.
BEC scams often involve techniques like spoofing email addresses or creating lookalike domains and are hard to spot because they don't always use malware or harmful links that standard security tools can detect. Instead, they rely on pretending to be someone else and tricking people through manipulation.
In a related attack type called EAC (Email Account Compromise), the attacker gains control of a real email account. They then use this account to conduct similar fraudulent activities, effectively becoming the trusted person they are impersonating.
Since both BEC and EAC exploit human weaknesses rather than technical issues, preventing, detecting, and responding to these attacks requires strategies focused on people and their interactions.
There are five major types of BEC scams:
1. CEO Scam: In this scam, attackers pose as a company's CEO or high-ranking executive. They typically send an email to someone in the finance department asking for a money transfer to an account controlled by the scammers.
2. Account Compromise: An employee's email account is hacked and used to send fake payment requests to vendors. The money ends up in the attackers' bank accounts instead of the legitimate vendor.
3. False Invoice Scam: Attackers pretend to be a foreign supplier and trick businesses into transferring funds to fraudulent accounts, thinking they're paying a legitimate invoice.
Related: What Is Invoice Fraud and How Small Businesses Can Stay Safe
4. Attorney Impersonation: Scammers pose as lawyers or legal representatives, often targeting lower-level employees who may not question the legitimacy of the request.
5. Data Theft: These attacks target H.R. employees to steal personal or sensitive information about company leaders, such as CEOs and executives. This data is often used in other scams, like CEO Fraud.
Example of phishing attempt caught by Bitdefender Antispam Lab researchers
Scammers posed as the Netherlands Chamber of Commerce (KVK) to steal personal information from business owners. They claimed that the recipient's company was no longer listed as active and requested that the recipient updated their details by filling out a form.
The email falsely stated: "We need to confirm that companies listed in the trade register are still active. Your company no longer appears as active according to the tax authorities. If you believe this is an error, please update your details within 3 business days."
Recipients were asked to provide personal information such as their name, company name, address, phone numbers, email, and date of birth. The scammers could use this information to better target and defraud the business owner.
Financial Losses. BEC attacks can lead to substantial financial losses if the scammers trick employees or small business owners into making unauthorized money transfers or divulging sensitive financial information.
Reputational Damage. A small business's reputation can be severely damaged if it falls victim to a BEC scam. Customers and partners might lose trust in the business's ability to handle sensitive information securely, which can lead to a loss of clients or contracts. Rebuilding a damaged reputation can be difficult and time-consuming.
Disruption of Operations. BEC attacks can disrupt daily operations. For instance, if an attack involves redirecting payroll or disrupting transactions, it can cause delays in employee payments or business dealings. This can affect staff morale and lead to operational inefficiencies.
Legal and Compliance Issues. Handling the aftermath of a BEC attack might involve legal costs and compliance issues. The business might need to report the incident to authorities, deal with legal claims, or face regulatory penalties if sensitive data is exposed or mishandled.
Decreased Employee Morale. Employees might feel stressed or demotivated if a BEC attack occurs. They may face additional scrutiny or have to deal with the fallout from the scam, which can affect their productivity and overall job satisfaction.
Increased Costs. After a BEC attack, a small business might need to invest in enhanced security measures, such as advanced email filtering systems, cybersecurity training for staff, and more robust authentication processes. For a small business with limited resources, investing in security before and not after an attack can save a lot of money.
Educate your team to spot these warning signs in suspicious emails:
BEC attacks often rely on social engineering and phishing tactics. Here's how to protect your business:
If you suspect someone is trying to scam you or a website looks suspicious, you check it with Scamio, our AI-powered scam detection tool. Send any texts, messages, links, Q.R. codes, or images to Scamio, which will analyze them to determine if they are part of a scam. Scamio is free and available on Facebook Messenger, WhatsApp, and your web browser. You can also help others stay safe by sharing Scamio with them in France, Germany, Spain, Italy, Romania, Australia, and the U.K.
Read more about this solution in our article Why Small Business Owners Should Care About Cybersecurity and choose your plan, here.
If you think your business email has been compromised, take these steps immediately:
Here are some law enforcement agencies that you can reach out to:
Recovering money lost in a Business Email Compromise (BEC) attack can be challenging, but there are steps you can take to try and recover the funds or mitigate the damage:
1. Contact Your Bank or Financial Institution: Notify your bank or the institution where the funds were transferred as soon as possible. They may be able to reverse the transaction if it has not been fully processed or offer advice on how to proceed.
2. Report the Incident: File a report with law enforcement agencies, such as the FBI's Internet Crime Complaint Center (IC3) or your local police. Providing detailed information about the attack can help with investigations and recovery efforts.
3. Notify Your Email Provider: Inform your email service provider about the breach. They might have additional resources or guidance for addressing the situation and potentially recovering lost funds.
4. Engage a Cybersecurity Expert: Consult with a cybersecurity expert or incident response team. They can help assess the breach, secure your systems, and assist with investigating the financial loss.
5. Contact Your Insurance Provider: If your business has cyber insurance, contact your provider to report the loss. Cyber insurance policies may cover financial losses resulting from BEC attacks.
6. Track and Document Everything: Keep detailed records of all communications and actions taken related to the incident. This documentation can be crucial for investigations and any potential recovery processes.
While these steps can improve your chances of recovering lost funds, success is not guaranteed. Prevention and strong security measures are the best ways to protect your business from future attacks.
Related: 10 cybersecurity tips to protect your small business data
What is Business Email Compromise (BEC), and how does it work?
Business Email Compromise (BEC) is a type of cyberattack where scammers impersonate a trusted person or entity through email to deceive employees into transferring money or sharing sensitive information. These attacks often rely on social engineering tactics, such as posing as an executive or a vendor, to manipulate the recipient into taking action.
How can I train my staff to recognize and prevent BEC attacks?
Focus on identifying common signs of BEC, such as unusual requests for sensitive information, emails from unknown contacts, or messages asking for secrecy. Encourage employees to verify with Scamio any unexpected or suspicious requests through direct communication channels, such as phone calls, before taking any action.
How can multi-factor authentication (MFA) protect my business from BEC attacks?
Multi-factor authentication (MFA) adds an extra layer of security by requiring more than just a password to access your accounts.
By implementing MFA, even if a scammer manages to obtain a password through a BEC attack, they would still need the additional verification factor to gain access. This significantly reduces the risk of unauthorized access and helps protect your business from potential breaches.
tags
Cristina is a freelance writer and a mother of two living in Denmark. Her 15 years experience in communication includes developing content for tv, online, mobile apps, and a chatbot.
View all postsDecember 19, 2024
November 14, 2024