Last year, the FBI reported that incidents of business email compromise (BEC), also known as spear phishing, CEO fraud, and invoice fraud, had been reported in all 50 states and 150 countries, with global losses exceeding $12 billion. BEC scams are continuing to explode in popularity among cyber criminals, with attacks increasing by 476% between Q4 2017 and Q4 2018, according to research from Proofpoint. Recently, a Lithuanian national pled guilty in U.S. court to his role in a BEC scheme that bilked Facebook and Alphabet out of more than $100 million.

What Is Business Email Compromise?

As opposed to traditional phishing scams, where identical messages are mass-emailed to thousands of recipients, BEC scams involve sending customized emails that target specific employees within a company, usually those who handle wire transfer payments or have access to sensitive information, such as employee payroll data. Before launching an attack, hackers research their targets in great detail, culling information from public sources such as social media networks and official company web properties.

After selecting a victim, hackers send the employee an email impersonating a company executive or business partner. Sometimes, the sender’s email address is spoofed; other times, hackers have obtained the real user’s login credentials and taken over their email account. The BEC email will contain an urgent request for a wire transfer, allegedly to pay a past-due invoice, or sensitive information, such as employee tax withholding forms. In one scheme the IRS issued an official warning about last year, the BEC emails requested both a wire transfer and employee tax data.

The BEC email warns of dire consequences should the recipient not act immediately, such as a delay on a time-sensitive parts shipment or the next round of employee paychecks. BEC emails are designed to look as realistic as possible, and sometimes, hackers will follow up with a phone call to add legitimacy and increase the victim’s sense of urgency. Thinking they’re doing the right thing, the recipient sends the money or data.

Sometimes, victims of BEC don’t realize they’ve been scammed until much later, such as when an impersonated vendor contacts the company about non-payment on a real invoice.

Preventing Business Email Compromise

Because business compromise emails do not contain malicious links or attachments, they usually bypass traditional email security measures, such as spam filters. However, there are technical solutions and non-technical controls companies can implement to help stem the tide, such as:

* Implement multi-factor authentication (MFA) to protect against account takeovers.
* Use the DMARC email security protocol to protect against domain spoofing.
* Prohibit employees from using personal emails for company business and vice versa.
* Talk to a cybersecurity professional about technical solutions that can identify compromised accounts, as well as solutions that block emails that contain sensitive data from being sent.
* Avoid using a private email server. Most companies don’t have the in-house resources to secure and monitor one.
* Ensure that all employees have appropriate and continuous cybersecurity training, including how to spot BEC scams.
* Require that all sensitive operational procedures, such as making wire transfers or releasing employee payroll data, be authorized by more than one person.

Author's Bio: 

Michael Peters is the CEO of Lazarus Alliance, Inc., the Proactive Cyber Security™ firm, and Continuum GRC. He has served as an independent information security consultant, executive, researcher, and author. He is an internationally recognized and awarded security expert with years of IT and business leadership experience and many previous executive leadership positions.

He has contributed significantly to curriculum development for graduate degree programs in information security, advanced technology, cyberspace law, and privacy, and to industry standard professional certifications. He has been featured in many publications and broadcast media outlets as the “Go-to Guy” for executive leadership, information security, cyberspace law, and governance.