Phishing: Business Email Compromise (BEC) Schemes & Website Spoofing

Explore Business Email Compromise (BEC) Schemes and Website Spoofing.

Business Email Compromise (BEC)

A Business Email Compromise (BEC) is a phishing attack that targets anyone who performs legitimate funds transfers, especially companies who conduct wire transfers and have suppliers abroad. During this attack, cybercrooks fool employees into executing unauthorized wire transfers, or disclosing confidential information. Corporate or publicly available email accounts of executives or high-level employees related to finance or involved with wire transfer payments are either spoofed or compromised through keyloggers or phishing attacks to do fraudulent transfers. 

In 2022, the FBI received 21,832 BEC complaints, with estimated losses totaling more than $2.7 billion (FBI)

Based on FBI studies, there are 5 types of BEC scams:

• The Bogus Invoice Scheme
  Occurs when attackers pretend to be the suppliers requesting fund transfers for payments to an account owned by fraudsters. Companies with foreign suppliers are often targeted with this tactic.

• CEO Fraud
  This scam happens when attackers pose as the company CEO or any executive and send an email to employees in finance, requesting them to transfer money to the account they control.

• Account Compromise
  An executive or employee’s email account is hacked and used to request invoice payments to vendors listed in their email contacts. Payments are then sent to fraudulent bank accounts.

• Attorney Impersonation
  Attackers pretend to be a lawyer or someone from the law firm supposedly in charge of crucial and confidential matters.  Normally, such bogus requests are done through email or phone, and during the end of the business day.

• Data Theft
  Employees under HR and bookkeeping are targeted to obtain personally identifiable information (PII) or tax statements of employees and executives. Such data can be used for future attacks.

A Business Email Compromise is caused when a cyber attacker uses the Internet to research their intended victim; this could include people their victim interacts with. For instance, if the attacker were to target you, they would research who your boss is at work or perhaps a real estate agent you are working with from home. The cyber attacker then crafts an email pretending to be one of these people and sends it to you. The email is urgent, requiring you to take an action right away, such as processing an invoice, changing who you make a payment to, or convincing you to reply with sensitive documents. The email works by pressuring you into doing what they want.

Damages can include: 

• Money loss as fraud wire transfer
• Reputation loss for the CEO/CFO and the organization
• Termination of the CEO/CFO
• Lawsuits against CEO/CFO and victim executives
• Loss of customer trust

More than 70% of organizations have experienced a BEC attack

Because these scams do not have any malicious links or attachments, they can evade traditional solutions. Employee training and awareness can help enterprises spot this type of scam.

The ONLY way to avoid such scams are to 1) check the sender’s details, 2) confirm the identity of the sender through human efforts, and 3) enable a third-party solution for anti-phishing protection in your organization. 

Website Spoofing

Website Spoofing, or Website Impersonation, is the act of creating a website, as a hoax, with the intention of misleading readers that the website has been created by a different person or organization. Typically, the spoof website will adopt the design, content, and user interface of the target website and sometimes has the same URL. This type of phishing attack is similar to email spoofing, though it requires the attacker to put in much more effort. This attack vector has been around for decades and continues to be popular because it's difficult to detect until it's too late. .

It is always a best practice to type the entire link out by yourself, instead of copying and pasting the link from somewhere else to prevent this type of scam from occurring. 

Corporate Information Technologies provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. Corporate Information Technologies can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.