It Started with an Email...

  • Published: Tuesday, Feb. 9, 2021

BEC-Business Email Compromise. In other words, an email scam that specifically targets companies. The attacker may impersonate or compromise executive emails in an attempt to initiate a wire transfer or gain access to sensitive information. This targeted type of attack is a form of spear phishing

BEC attacks are usually more sophisticated than other phishing campaigns. The scammer might make the email look like it is coming from an executive within the company. Usually, the sender email address will look legitimate but upon closer examination there are normally slight variations. For example, the executive John Smith might have an email of [email protected], but the crook will send it from [email protected]

In one impersonation of an executive, the cyber criminal may request the finance department to transfer funds into a new account. The employee may not think it is appropriate to appeal such a request from their supervisor. 

These emails are well well written and fine tuned and rarely have the obvious flaws of phishing emails. These cultured emails aren’t your typical Nigerian prince scams

Distribution fraud is a form of BEC. In this scenario, a thief may use a fake domain that imitates a well-known company. The thief then requests quotes for goods. Once the quote is supplied a fake purchase order is generated and delivered to the victim in hopes that the items will be shipped without an exchange of payment. 

Some BECs will seek sensitive information such as W2s or direct deposit information. Carefully crafted using the best social engineering tactics, these emails can be very convincing. BECs can cause unsuspecting victims to voluntarily give up personal information to hackers.

BECs can cause monetary damages, reputation and long term distress and injury caused by identity theft; they can also lead to corporate distress and job loss.

Take precautions and implement procedures in order to reduce the risk of BEC.

  • End-user training: Perform phishing simulations to condition users for what scam emails look like. Use real-time examples of compromises in the news.
  • Establish written procedures for handling financial transactions which might include in person or call back confirmations.
  • Limit the number of staff who are authorized to make financial transactions.