Business Email Compromise (BEC) scams, also known as CEO fraud or whaling, are a growing threat to businesses of all sizes. According to the FBI, BEC scams resulted in more than $1.7 billion in losses in 2019 alone, making them one of the most lucrative types of cybercrime.
BEC scams typically begin with a criminal hacker gaining access to a company’s email system. This can be done through a variety of methods, including phishing emails, social engineering, and malware. Once the hacker has access, they will monitor the company’s email traffic and look for opportunities to trick employees into sending money or sensitive information.
One common tactic used in BEC scams is impersonating a high-ranking executive within the company, such as the CEO or CFO. The hacker will send an email from a spoofed email address that appears to be from the executive, asking an employee to make a payment or transfer funds to a designated account. The email may even include details that make it appear legitimate, such as the executive’s signature or official company letterhead.
Another variation of the BEC scam involves targeting companies that regularly make wire transfers, such as those in the real estate or financial industries. The hacker will intercept a legitimate email exchange between the company and a client, and then send a spoofed email to the client requesting that future payments be sent to a different account. The client, thinking they are following legitimate instructions, will send the payment to the criminal’s account instead.
BEC scams can be difficult to detect because they often involve sophisticated social engineering tactics and use legitimate company email accounts. However, there are steps that businesses can take to protect themselves:
- Implement strong email security measures, such as two-factor authentication and email encryption.
- Train employees to recognize phishing emails and other forms of social engineering.
- Implement strict policies for wire transfers and other financial transactions, including verifying any changes to payment instructions.
- Monitor email traffic for suspicious activity, such as unexpected requests for sensitive information or changes to payment instructions.
- Establish a system of checks and balances, such as requiring multiple approvals for large financial transactions.
- Use fraud detection software to monitor for unusual activity and detect potential BEC scams before they result in financial losses.
BEC scams are a growing threat to businesses of all sizes, and it is important for companies to take proactive steps to protect themselves. By implementing strong email security measures, training employees, and monitoring email traffic for suspicious activity, businesses can reduce their risk of falling victim to this type of cybercrime.