The Rapid Growth of BEC Fraud
The newest, fastest-growing tactic for cybercriminals is called Business Email Compromise (BEC).
Early forms of BEC struck large corporations but now BEC is striking small businesses far more dangerously and frequently than ransomware.
Cybercrime never sleeps. Attacks happen at all times, but more than that, the evolution of criminal tactics marches forward relentlessly. Similar to ransomware attacks, the bad actors are using social engineering to compromise a company’s network. But, instead of worming their way into well-protected corporate data — which is getting harder to do — the new form of attack is content to stay inside the company’s email system.
Ransomware vs BEC Fraud
- Ransomware wants to encrypt your most important files and then blackmail you to regain access. Business email compromise (BEC) wants to read and mimic your email messages to trick you into a wire fraud mistake.
- Ransomware gets in your face and makes demands, and BEC takes your money and disappears before you ever knew the bad actor was there.
- Ransomware prioritizes corporations that can make large payments. BEC fraud is enabling small-time criminals to target far smaller businesses.
- Ransomware patiently works its way deeper and deeper into the company’s data systems. BEC patiently grooms individual employees setting them up to make a wire transfer that seems legitimate.
The FBI estimates that American businesses lost $43 billion to Business Email Compromise fraud between 2016 and 2021.
BEC is an insidious crime. The bad actor starts imitating the boss, the financial department, a valued supplier, or an employee dealing with customers all through email threads that closely match real activity. The good actors are being “groomed” to trust the bad actor and then they are set up to make a wire transfer that seems perfectly reasonable. Days or even weeks can go by before a malicious transaction is uncovered. By then, of course, the money is long gone.
Home buyers have been tricked by a hacked law firm into making their down payment to the wrong bank account. Home builders have been tricked into making a very large payment to a supplier because either the home builder or the supplier was hacked. Junior employees have rushed around in a hurry because the boss is traveling and an urgent payment is overdue. And on and on it goes, the anecdotes are scary because of their creativity. This is happening with remarkable frequency and it is an under-reported crime.
BEC requires bad actors who are savvy communicators but the tech skills required to infiltrate email systems is less sophisticated than with Ransomware attacks. The relative simplicity of BEC attacks is one reason that smaller businesses are especially vulnerable.
- The FBI’s page dedicated to alerting businesses about BEC fraud.
- US Bank’s real-life scenarios for BEC fraud.
- AT&T Business/Cybersecurity examples and tactics.
Readers of EO Advisor and clients of Electronic Office are already aware of the critical best practices that help prevent socially engineered attacks. BEC just makes it more urgent and more critical that smaller businesses are fully invested in their protection.
If you think you have been a victim of BEC fraud, or if you have any concerns at all, please use Contact US to reach out to Electronic Office.