Business Email Compromise (BEC) Fraud on the Rise

Cybercriminals are a major threat to business email. Through various business email compromise (BEC) scams, these fraudsters can cause irreparable financial and reputational damage to your company. With BEC on the rise, protecting your inbound (and outbound) messages is vital to your company’s success and longevity of its brand.

What Is Business Email Compromise (BEC)?

BEC attacks are financial in nature and target organizations of all sizes. The gist of a BEC scam is a fraudster pretends to be someone at the executive level, then convinces an unsuspecting employee to help them wire funds outside of the company. BEC compromises often use publicly available information, phone calls and emails from domains that are similar in nature to the target company. For example: targeting MxToolbox.com with an email from MxTooŀbox.com. Look closely.

Loss numbers are frequently significant, and it’s a very appealing tactic for scammers looking to get rich quick.

Unreported BEC (Needed?)

Many instances of BEC fraud go unreported because few companies want to admit that they fell victim to a scam. As a result, cases are typically hidden until court proceedings. It’s difficult to gauge how much money is actually lost to BEC scams per year, but the estimates are astronomical.

Common Types of BEC Attacks

According to the FBI, there are five common types of BEC scams:

Email Account Compromise

In an email account compromise attack, an employee’s email account is hacked and used to request payments from vendors. The money is then sent to attacker-controlled bank accounts.

Vendor Email Compromise

Companies with foreign suppliers are common targets of vendor email compromise. Attackers pose as suppliers, request payment for a fake invoice, then transfer the money to a fraudulent account.

CEO Fraud

Scammers impersonate the CEO or executive of a company. As the CEO, they request that an employee within the accounting or finance department transfer funds to an attacker-controlled account.

Lawyer Impersonation

Fraudsters pose as a lawyer or legal representative, often via email. The common targets of these attacks are lower-level employees who might not have the knowledge or experience to question the validity of an urgent legal request.

Data Theft

Data theft attacks typically target HR personnel to obtain personal information about a company’s CEO or other high-ranking executives through emails. The attackers can then use the received data in other future attacks, such as CEO fraud.

Tips to Avoid BEC Scams

Because email is such a critical aspect of your business, a single compromised account is all it takes to financially damage your company and its brand. Here are some tips on how to stay protected and secure:

  • Carefully scrutinize all emails. Be wary of irregular emails that are sent from C-suite executives, as they are used to trick employees into acting with urgency. Review emails that request transfer of funds to determine if the requests are irregular.
  • Educate and train staff. While employees are a company’s biggest asset, they’re also usually its weakest link when it comes to security. Commit to training them according to the company’s best practices. Remind all that adhering to company policies is one thing, but developing good security habits is another.
  • Confirm any changes in vendor payment location by using a secondary sign-off by company personnel.
  • Stay updated on your customers’ habits, including the details and reasons behind payments.
  • Verify requests for transfer of funds when using phone verification as part of two-factor authentication.
  • If you suspect that you’ve been targeted by a BEC email, immediately report the incident to law enforcement or file a complaint.

How Can MxToolbox Help? (DMARC)

DMARC helps secure your company’s email platform and fights to protect against BEC scams. By implementing DMARC checks on inbound email and educating employees, the prevalence of online fraudsters and their BEC cons can be minimized. In addition, Implementing DMARC on outbound email will reduce of your brand being used in a BEC scam, potentially damaging your business reputation.

At MxToolbox, our email experts have created several tools and services to safeguard your business and increase its email deliverability. Check out our various products to help protect your company’s email reputation.