There are many different types of Business Email Compromise (BEC) attacks, but the smartest and most likely to succeed are often timed to coincide with something that can lend them legitimacy, such as tax season.
By infiltrating an organization to find a few useful details, scammers can craft email messages that are perfectly timed and convincingly urgent enough to persuade victims to transfer large sums of money.
The potential risk to your business is enormous; the FBI estimates the cost of BEC scams worldwide between October 2013 and July 2019 was more than $26 billion, mostly stolen from U.S. organizations.
The mechanics of different types of BEC attack are very similar, so by breaking them down and educating your workforce you can dramatically reduce the risk for your business.
What Does a Typical BEC Scam Look Like?
A successful BEC scam requires some knowledge of your organization’s internal workings. Criminals will identify a target business – all sizes and types of organization are at risk – and they will work to gain access to your network. The first step is likely to be a common phishing email that enables them to gain a foothold. From there, they will try to figure out how financial processes are handled and who is responsible for money transfers.
With the groundwork complete, they will wait patiently for an opening. A typical example is an incoming invoice for services from a vendor. The attacker will see this email coming in and they’ll quickly follow it up with a message that appears to come from the same vendor, explaining that they’ve just changed their account, and asking you to wire the money for the last invoice to these new details. Naturally, the new bank details provided are the scammer’s account and the victim likely doesn’t find out there was a scam until the vendor makes an inquiry about their unpaid invoice a few weeks later.
How Tax Season is the New Hunting Season
Another way attackers can boost their chances of perpetrating a successful BEC scam is to take advantage of particular times of year, such as tax season. People are more receptive to tax-related emails when it’s tax season and there are many ways to trick victims into handing over details, opening attachments or clicking somewhere they shouldn’t.
An email asking people to verify “the attached W2” is an easy place to start. No one wants to pay more tax than they need to, and when they know taxes need to be filed soon, there’s an instant sense of urgency. The attached W2 file could be a genuine form that the attacker is hoping you’ll fill out and return, because it would give them information that may be used for further frauds and scams. Alternatively, the W2 may be a malware payload that’s triggered when you try to open the attachment.
A smart scammer might combine knowledge that the CEO is out of the office on a trip somewhere with tax season and send a request for all employee W2s, maybe with a message saying that they want to work on them during the flight they’re about to board and will hand off to the tax guy when they land. This information could be used for all sorts of fraudulent activity and identity theft, if not by the thief, then by other criminals they may sell the stolen data to.
What To Look For
There are a few reasons why BEC scams are so prevalent; chief among them is the fact that they actually work some of the time plus the potential rewards are substantial. No matter the level of sophistication, there are a few common themes and tricks that attackers use.
Understanding the mechanics behind a successful attack can educate you and your staff about what to be vigilant for.
Social engineering is all about emotional manipulation and it is an effective way to bypass your usual critical thinking skills.
With these BEC scams, there’s almost always a sense of urgency – the attacker wants you to respond before you think about it twice. They send emails with high importance flags and drop in deadlines. There might be the threat of not being paid on time, the risk of taxes being incorrect, or some other kind of anxiety that will irk you if you don’t respond quickly.
Attackers will spoof email addresses, and in some cases even use hacked email accounts. They will represent themselves as an organization you trust, or perhaps even a colleague. Messages that seem out of character or come in at strange times should be treated with suspicion. It’s also common for scammers to use domains that are highly similar to legitimate sources, but they may have one letter different in the middle, so scrutinize the sender address and look at URLs carefully.
If you stop to think about these scams and interrogate them, you’ll often be able to identify BEC attempts, but there’s no substitute for company-wide cultural awareness training.
Training for Security Awareness
It’s common practice to run annual security awareness training as part of a compliance checkbox spreadsheet, but if you want your employees to be properly armed in the fight against scams you need to train frequently. Flagging periods of higher risk, such as tax season, is a great way to reinforce and remind people of the training they’ve had. It doesn’t have to be in-depth technical training, but make sure they’re aware of major red flags related to social engineering.
Ultimately, if you can get employees to slow down and think before they act, that could be enough to help them identify a scam or refer suspicious emails to someone else who can investigate.