BEC Scams Hit All-Time High, How Employees Can Stop Them From Succeeding
By: Jim Stickley and Tina Davis
December 1, 2022
It’s not a cybercrime most people think of first. Ransomware and other malware attacks grab most of the headlines, but not today. According to the FBI, business email compromise (BEC) attacks totaled nearly $43 billion in losses globally and are expected to keep rising. Last year, the FBI’s IC3 (Internet Crime Complaint Center) received BEC scam reports from all 50 states in the U.S. and 177 countries.
Any size business can be targeted, and all it takes is one email account to be fair game for these scams. Employees can block or enable an attack with one click, and those who know how to spot BEC’s may end up being the company MVP.
Unlike other cyberattacks, BEC crimes depend more on social engineering than on technology to work. These phishing emails are highly manipulative and can easily trick an unsuspecting employee into action. It’s no surprise that hijacking company funds, including cryptocurrency, is the real goal for these cybercrooks.
How Employees Can Spot a BEC Attempt
You don’t have to be a technology wiz to know a BEC scam when you see one.
Hackers have several tricky social engineering tools they rely on, and they do their homework to improve their odds. In particular, they target employees involved in company finances, especially those directly involved with making wire transfers.
Social engineering tactics vary, but the email content typically addresses the employee by name, fakes a familiar identity such as a contractor, pushes the need for an urgent but quiet transfer of funds, names a company president or other high ranking staff who requested the transfer, and provides a new account (belonging to the hacker) for the funds to be sent.
Below are some of the most important scenarios a staffer should question before inadvertently enabling a BEC scam.
- If a request is out of the ordinary, especially with wire transfers, it should immediately be brought to the attention of a manager, department head, or business owner first. Verification is a BEC hacker’s nightmare.
- Email phishing red flags like unexpected and unknown email senders, pressure for urgent action, unusual requests, and other social engineering tactics are all suspect.
- Any significant request having to do with their employer deserves an employee’s complete attention. Remember that any hasty move, especially with urgent requests, has the potential to put a company at risk.
It’s easy to see why employees who receive and send business emails every day, are the first target and the first line of defense against BEC crimes.