In this insight, we look at what BEC campaigns are, their characteristics, and what businesses can do to protect themselves from the threat of BEC campaigns.
A business email compromise (BEC) campaign is a kind of text-based, impersonation, social engineering scam where, in most cases, the victim is forwarded an email threat that appears to originate from their boss. The email is given legitimacy by appearing to be a thread between a partner company, a customer, or an organisation in the supply chain so that it will be recognised by the target. The email instructs the victim, e.g. someone in the finance department of the business, to transfer funds (wire transfer / BACs payment) into an account which is that of the scammers.
In the US, for example, the FBI has defined five main types of BEC campaigns, which are:
– CEO Fraud: The attackers impersonate the CEO or an executive at the company and target an individual in the finance department.
– Account Compromise: This is where an employee’s email account is hacked/compromised and used to request payments.
– False Invoice Scheme: Mostly targeting foreign suppliers, this method sees the scammer impersonating a supplier to request fund transfers to fraudulent accounts.
– Attorney (Lawyer) Impersonation: As the name suggests, the attacker impersonates a lawyer or legal representative, targeting, for example, lower-level employees because they may be more unlikely to question the validity of the request.
– Data Theft: Targeting HR employees, the motive is to obtain personal or sensitive information about company personnel, e.g. CEOs and executives, that can be used as part of future attacks (such as CEO Fraud).
BEC campaigns also sometimes use domain spoofing and lookalike domains to trick the targeted employees.
It is often the case that email account compromise (EAC) enables the BEC, i.e. gaining control of a legitimate company email account makes it possible to launch convincing BEC campaigns.
One reason why BEC campaigns are so challenging to detect, e.g. using antivirus, is because they don’t often contain red flags such as malicious links or attachments.
Some ways that businesses can defend themselves against the threat of BEC campaigns include:
– Briefing and training staff about the nature of the threat and the different types of well-known BEC campaigns. For example, staff should be informed of the indicators of a possible BEC campaign, e.g. high-level company executives asking for unusual information, being asked not to communicate with others about requests, any requests that would bypass the usual channels, spelling and grammar inaccuracies in the emails, and email domains and “Reply To” addresses that don’t match sender’s addresses.
– Ensure that company email security is robust and that staff are aware of how to avoid risky behaviour with emails, e.g. clicking on unusual links, downloading attachments, or password sharing.
– Encouraging employees to trust their instincts and, if they have the slightest doubt, let them know that it’s OK to seek help and advice. Attackers often rely upon targeting victims at busy times of the day, and making requests sound very urgent, so employees need to know that stopping to check and slowing things down is a good idea.
– Having a clear, blanket procedure in place for requests that seek verification from designated managers who are well-informed about this type of fraud and have the confidence and authority to check and challenge.
Since this type of campaign is difficult to spot with automated solutions (e.g. antivirus) and relies upon human error to work, a human-centred approach to protection, such as employee training and the communication of clear blanket policies about this type of question/request/instruction that prevents any circumvention are a wise move for businesses. As with all social engineering, the criminals are using methods designed to suspend normal judgement and force an emotional reaction before reasoned, critical decision-making can happen. Knowing the signs (through training), slowing things down, feeling as though they will be supported by managers, and not being afraid to ask others and stick to the policy are ways in which staff can be empowered to defend the company’s security in the face of the threat of BEC campaigns.