Another cybercrime is grabbing the spotlight after years of taking a backseat to ransomware’s headline-grabbing attacks. Business email compromise, aka “BEC”, cybercrimes have been quietly racking-up victims by stealing their money via email fraud. Organizations should be aware that despite the lack of headlines, BECs are actually a bigger threat than ransomware.
Findings show that not only do BECs far outweigh losses from ransomware, but one reason why these attacks don’t steal the headlines is because they are underreported by victims. This happens despite the FBI finding that the total cost of BEC attacks is 51 times more costly than ransomware. They also find companies are moving toward bolstering security against ransomware attacks, yet BECs don’t appear to register as a concern for company leaders.
Overshadowed but Not Outdone
The FBI also finds last year in the U.S., $2.4 billion was lost to BEC attacks, up 39% from 2020. That’s a hefty spike in attacks, while also last year, just $49.2 million was lost to ransomware in the U.S. Palo Alto Networks finds that last year’s average ransom demand was $2.2 million per incident. Compared to that, the FBI reports in the same timeframe that BEC scams had an average price tag of $120,000. All of this shows that although BECs may steal less money than ransomware per heist, the sheer number of BECs far outweigh the number of ransomware attacks, adding up to larger profits overall.
Companies have the option of not paying a ransom or negotiating the cost, while BECs steal what they steal and that’s it. You can also view ransomware is an “in your face” attack that prevents a company from functioning until a ransom is paid. In comparison, BECs are a relatively quick theft of funds most victims can afford to lose and still continue doing business unfettered.
BECs Fake their Way to Fortune
BEC hacker’s use social engineering tactics, a type of fraud, to compromise business email accounts. These tactics allow attackers to impersonate an employee, vendor or another trusted third-party needing a wire transfer. As such, there’s no real reason for a company CEO or CFO to doubt the email request is legitimate and therefore approve the transfer. Little do they suspect the funds ends up in the hacker’s account, and may not realize the theft until it’s too late.
Another way BECs use “impersonation” or “mimicking” to their benefit is using “lookalike” web pages. These pages duplicate a trusted web page, allowing an attacker to fool a victim into providing sensitive data. By using an unseen overlay on the web page, information entered on the page is stolen by the hacker. Stealing anything from banking information to an employee’s login data, these web pages “spoof” trusted websites.
Always keep the employees updated on what BEC involves and how to avoid it. This means, continual cybersecurity awareness training. There are many options for this and one of them will fit into the budget more comfortably than a BEC crime. Just keep in mind that these attacks are evolving all the time, so a one and done approach to awareness training just won’t do.
BECs are and continue to be a crime relying on trust and the exploitation of that trust. These scams continue as underreported, perhaps due to the victims feeling they’ve been duped by the attacker, and as such, an embarrassment they don’t want reported. Regardless, BECs continue to deceive, impersonate, mimic and steal their way to into profiting from another’s trust via fraudulent means.