Carefully selecting the target and aiming for higher returns on investment, even if you are a cybercriminal, is the biggest motive of a transaction. This phenomenon has started a new trend called BEC or Business Compromise Scam. This carefully executed scam involves the hacker using Social Engineering to ascertain the CEO or CFO of the target firm. The cybercriminals will then send fraudulent emails, addressed from that particular senior management official, to employees in charge of finances. This will prompt some of them to initiate wire transfers.
Business Compromise Scams
Instead of spending countless wasteful hours Phishing or spamming the company accounts and ending up with nothing, this technique seems to be working just fine for the hacker community because even a small turnover results in hefty profits. A successful BEC attack results in successful intrusion into the victim’s business system, unrestricted access to employee credentials, and substantial financial loss for the company.
Techniques of carrying out BEC Scams
- Using enforcing or urging tone in the email to encourage a higher turnover of employees agreeing to the order without investigation. For instance, ‘I want you to transfer this amount to a client ASAP’, which includes command and financial urgency.
- Email Spoofing actual email addresses by using domain names that are almost close to the real deal. For instance, using yah00 instead of yahoo is quite effective when the employee is not too insistent in checking the sender’s address.
- Another major technique cybercriminals use is the amount asked for wire transfers. The amount requested in the email should be in sync with the recipient’s authority in the company. Higher amounts are expected to raise suspicion and escalate the issue to the cyber cell.
- Compromising business emails and then misusing the IDs.
- Using custom signatures like ‘Sent from my iPad’ and ‘Sent from my iPhone’ complements the fact that the sender doesn’t have the required access to make the transaction.
Reasons why BEC is effective
Business Compromise Scams are carried out to target lower-level employees in the disguise of senior employees. This plays on the sense of ‘fear‘ derived from natural subordination. The lower-level employees will hence tend to be persistent in completing the tasks, mostly without caring for intricate details, at the risk of losing time. So, if they are working at an organization, it wouldn’t probably be a good idea to reject or delay an order from the boss. If the order does turn out to be true, the situation would be detrimental for the employee.
Another reason why it works is the element of urgency used by hackers. Adding a timeline to the email will divert the employee towards completing the task before he cares to check for details like sender authenticity.
Business Compromise Scams Statistics
- BEC cases have been on the rise ever since they were discovered a few years ago. It has been found that all US states and over 79 countries worldwide have had corporations that have been successfully targeted with Business Compromise Scams.
- In fact, over 17,500 corporations, specifically employees, have been subject to BEC targets within the last few years, causing significant losses to the firm. The total loss amounts to around $2.3 billion.
Prevention of Business Compromise Scams
While there is no apparent cure to social engineering and hacking into the company’s systems with access from an employee, there are certainly some ways to alert the workers. All employees should be educated about these attacks and their general nature. They should be advised to regularly screen for spoofing email addresses in their inbox. Apart from that, all such top-level management orders should be verified with the authority via phone or personal contact. The company should encourage the double verification of data.
