Business Email Compromise (BEC) Attack
What is a business email compromise (BEC) attack?
A business email compromise (BEC) attack is a type of cyberattack that targets businesses by sending fraudulent emails that appear to be from a legitimate source. The goal of a BEC attack is to trick the recipient into providing sensitive information, such as financial data or login credentials, or to make a fraudulent wire transfer.
BEC attacks often involve email spoofing, where the attacker manipulates the email header to make it appear as if the email is coming from a trusted source, like your boss, a vendor, a local business, or some large entity, like Google or Microsoft.
How common are business email compromise (BEC) attacks?
BEC attacks are very common. In 2021, the FBI’s Internet Crime Complaint Center (IC3) received over 241,000 complaints about BEC attacks, with losses totaling over $43 billion. With over a 566% increase from 2016 to 2021, the sophistication of BEC criminal actors and their ever-evolving tactics has only increased over time.
Some of the latest research shows that the median open rate for text-based BEC attacks is nearly 28%. And of the malicious emails that are read, an average of 15% are replied to. And while professional service providers, educational institutions, and religious organizations received the highest volume of BEC attacks in the second half of 2022, they were not most likely to read or reply to such malicious emails. Those most likely to read or reply to BEC attacks were employees at transportation providers, automotive enterprises, and healthcare organizations.
According to the FBI, the average loss per BEC victim is $130,000. The most common type of BEC attack is CEO fraud, in which the attacker impersonates the CEO or another high-level executive and sends an email to an employee requesting a wire transfer. Other common types of BEC attacks include:
- Vendor impersonation
- The attacker impersonates a vendor that the company does business with and sends an email requesting payment.
- Invoice fraud
- The attacker sends an email that appears to be from a legitimate vendor, but the invoice is fraudulent.
- Payment redirection
- The attacker sends an email that appears to be from the company’s bank, but the email contains a fraudulent link that redirects the victim to a fake website that looks like the company’s bank website.
How can you avoid becoming a victim of a business email compromise (BEC) attack?
There are a number of things you can do to avoid becoming a victim of a BEC attack:
- Educate your employees about BEC attacks.
- Make sure your employees know how to identify and avoid BEC attacks.
- Use strong passwords and two-factor authentication.
- Strong passwords and two-factor authentication can help protect your accounts from being hacked.
- Beware of emails that contain misspellings or grammatical errors.
- BEC attackers often make mistakes in their emails, such as misspelling the company name or using incorrect grammar. If you see any of these mistakes, be suspicious of the email.
- Be suspicious of emails that ask for sensitive information.
- If you receive an email that asks for your financial information, login credentials, or other sensitive data, be very suspicious. Do not click on any links in the email, and do not reply to the email. Instead, contact the sender directly in person or by phone to verify the request.
- Do not wire money to someone you have not spoken to in person.
- If you receive an email that asks you to wire money to someone, do not do it unless you have spoken to the person in person and verified that they are legitimate.
We support you with IT!
If you’ve been a victim of a BEC attack or want to proactively protect yourself against it, we are your team! We have over 25 years of experience in IT and cybersecurity; we know the ins-and-outs of protecting your most valuable asset: your network data. We train companies and their employees on how to combat business email compromise (BEC) attacks as well as a whole host of other types of cyberattacks. Additionally, we provide cybersecurity services that protect you from attacks like BEC attacks. If you’re looking for top-notch, first-rate service and cybersecurity, contact us today!