Business Email Compromise (BEC)
This sort of scam, known as Business Email Compromise (BEC), is targeted at organizations that execute wire transfers and have suppliers in foreign countries. A large number of corporate or publicly visible email accounts of CEOs or high-level staff in the finance or payment processing industries have been compromised or spoofed, resulting in hundreds of thousands of dollars in losses. In 2016, business email compromise (BEC) attacks caused an average loss of US$140,000 for businesses around the world.
Man-in-the-Email schemes, as they were formerly known, rely primarily on social engineering strategies to deceive unwary employees and executives in business email compromise attacks. They frequently pose as the CEO or any other executive who has the authority to make wire transactions. Aside from that, fraudsters conduct extensive research on and continuously monitor their possible target victims as well as their respective organisations.
In the subject lines of some of the example email messages, phrases such as “request,” “payment,” “transfer,” and “urgent” appear, among other things. According to the FBI, there are five categories of BEC scams:
The Bogus Invoice Scheme- Companies that have international suppliers are frequently targeted with this method, in which attackers claim to be the suppliers and request fund transfers for payments to be made to an account owned by the fraudsters themselves.
CEO Fraud: Attackers pretend to be the company’s CEO or any other executive and send emails to staff in the finance department, suggesting that they transfer money to a bank account under their direct control.
Compromise of Accounts-An executive or employee’s email account is hacked and used to request invoice payments from suppliers who have been added to their email contacts. Afterwards, funds are transferred to fictitious bank accounts.
Attorney Impersonation- Attackers masquerade as a lawyer or a representative of a legal firm, claiming to be in charge of sensitive and private problems. Typically, such fake requests are made via email or phone, and they are made at the end of the working day.
Data Theft – Employees in the human resources and bookkeeping departments are targeted in order to obtain personally identifiable information (PII) or tax returns of employees and executives from their employers. Such information can be utilised to launch future assaults.
Because these frauds do not contain any dangerous links or attachments, they are able to avoid detection by typical anti-scam software. Employee education and awareness can assist businesses in identifying this type of scam.