Identify and Prevent Business Email Compromise (BEC) Scams
In a law enforcement breakthrough operation on one of the largest Nigerian cybercrime gangs that were becoming a pain in the neck around the world, 11 of SilverTerrier scamster members were arrested in December 2021. With the arrest, the infamous notorious gang operations that crippled the business industry through its business email compromise scams brought to light even the wider penetrating issue persisting in the cyber landscape of companies.
With the affected victim bandwidth of 50000 individuals and companies combined, the SilverTerrier are suspected to drive business email compromise as their key arrow strategy of targeting. What began in the 2014s as a bunch of novices based in Nigeria wanting quick money, took to BEC as their entry into the cybercrime world. The syndicate grew into active groups, accused of victimizing thousands of organizations under the pretext of business email, to attack, exploit and make them vulnerable to data compromise.
While the arrest of 11 members of the SilverTerrier syndicate, following a long-term Interpol tracking is a significant catch and might help identify the past, ongoing and future fraud projects under them, the landscape of business email compromise (BEC) remains a vast ground to be mitigated completely.
This incident is the smaller picture of how business email compromise scams (BECs) are corrupting the financial and reputation stance of businesses & individuals. Muddying the water, even more, digital transformation and disruption have advanced the trail of BEC scams. Patterns evolving include highly sophisticated, socially engineered and personalized emails to both companies, and individuals, where one compromised account becomes a breeding ground for the orchestrated plan.
What is a Business Email Compromise or BEC scam?
A Business Email Compromise scam usually follows an email message from criminals which appears to stem from a legitimate source, making a request. Such emails might trap victims such as a masquerading CEO asking the assistant to purchase gift cards for employees, a vendor your organization deals with, sending the monthly invoice with updated mailing addresses or a freelancer receiving an email message from the brand he/she works for, to send instructions on how to wire the month-end payment.
In each case, hundreds of thousands of people are victimized by the use of fake emails and fake email scams, appearing authentic in terms of every element, and every version marauding the people of their money and peace of mind.
Examples of Business Email Compromise scams
The Bogus Invoice Scheme- The most commonly affected by the bogus invoice scheme are the organizations that have foreign suppliers. Scamsters pretend to be suppliers and request a fund transfer to an account that is owned by the fraudsters. With attention to detail and a little persuasion, most often than not, companies tend to fall prey to such fraudsters.
CEO Fraud- Scamsters pretend to be the CEO of the company and send fraud emails masquerading as legitimate, to the employees in the finance department, requesting fund transfers to one of their accounts. The fraudsters misuse the position of the CEO and loot the organization of capital, without anyone suspecting until the money is wired.
Account Compromise- A company’s official email account gets hacked and is misused to request the transfer of invoice related funds to the vendors who are listed in their email contacts.
Attorney Impersonation- Scamsters pretend to be someone from a law firm, hiding under the pretext of handling something confidential. This scam often targets lower-level employees, who usually do not question the authenticity of the request made and respond without asking much.
Data Theft – Scamsters target bookkeeping or HR employees to obtain confidential, sensitive data, personally identifiable information, tax statements or financial records to create an ecosystem for potential attacks.
How do Criminals Carry Out BEC (Business Email Compromise) Scams?
A BEC scammer might do one or more of the below-mentioned acts to scam businesses and individuals:
- Hoax a website or an email account with variations that might go unnoticed to deceive victims into believing the account is authentic.
- Use malware through malicious software which infiltrates the company system or networks. The malware gives the scamsters access to legitimate email threads about invoices and billing financial transactions. This data enables scamsters to time and send messages to bookkeepers so they would not even question the authenticity of fund transfer requests and gives them undetected access to the business or individual confidential data.
- Send spear-phishing emails that appear to stem from trusted sources to trick victims into revealing sensitive and confidential information. This data gives scamsters access to company accounts, financial data, and calendars to carry out the BEC schemes.
BEC is often a starting point to break employees and carry out a larger cyberattack on companies.
How to Protect Yourself from Business Email Compromise (BEC) Scams?
- Vigilance is the key factor for protecting oneself from BEC scams, so be careful with what level and kind of information you share on social media platforms.
- Steer clear from clicking on unsolicited emails, attachments or links that ask you to verify your account or update data. Look up the suspicious email, address, and phone number online to check for the legitimacy of the scamster.
- Examine the URL, phone number, email address or spelling mistakes for slight variations that might trick a person’s attention and eye and eventually gain your trust.
- Verify the purchase and payment by calling in person to ensure that the account requesting fund transfer is legitimate.
- Prevention is better than cure, here comes the need for personal cyber insurance that may provide you with a cover against your monetary losses.
- Enabling a multi-factor authentication is another method restricting the mistaken fund transfer and gives you a safety cushion to think twice
- You can use smart phishing detection tools to get informed whenever a phishing attack is made on your device
Considering BEC scams are not circulated with fishy attachments or malicious links and are repleted with the tendency to evade even the well-devised traditional solutions, the only way out is consistent awareness, and employee training to help spot the scam on time.
And, while you incorporate training as a solution, don’t forget to stay vigilant and careful with what information you share on social media. Don't give the scammer an upper hand in guessing your password by completely making your life public. Moreover, before you click on a link, even if it seems legitimate, think twice about its contents and examine any difference which might be tricking you into gaining your trust.
Stay Vigilant! Stay Safe!