15720 Brixham Hill Avenue Suite 575
Charlotte, NC 28277
Everyday seems to bring news of the latest high-profile cyber threat or attack. And it’s not just the big name corporations that are at risk for a cyber security issue. Today’s highly sophisticated cyberattacks target all industries and sectors, and can impact organizations from nonprofits, schools and local businesses all the way up to global corporations and government entities. One recent trend in cyberattacks, particularly in the realm of financial fraud, can impact businesses both large and small, and can leave a harmful and lasting impact on these businesses and customers. It’s called business email compromise, or BEC, and is a sophisticated scam that compromises legitimate business email accounts to conduct unauthorized transfers of funds or requests confidential information to be used for identity theft. Cisco’s annual Midyear Cybersecurity Report indicates this trend is on the rise.
BEC by the numbers:
What is BEC?
According to IBM’s X-Force Threat Intelligence Index, BEC is a simple and highly profitable social engineering attack. In most cases, attackers send an email pretending to be a company official either from a domain similar to the victim’s domain, or in more sophisticated cases, by actually taking over the account of the impersonated executive and mimicking their writing style. The email often comes as an urgent request — a wire transfer of funds, a request for payment or the sending a W-2 form, or leaking other critical data that attackers use to proliferate the scam through identity theft. The attackers will often use the method most commonly associated with their victim’s normal business practices to avoid raising red flags.
Some common trends and opportunities for BEC scams include:
What can businesses do to protect themselves and their customers from this trend?
Here are a few tips from the Internet Crime Complaint Center (IC3), a division of the FBI dedicated to internet crime like cyberattacks:
Establish a company domain name and use it to establish company email accounts.
If a current business contact suddenly asks to be contacted via their personal email address when all previous official correspondence has been through company email, the request could be fraudulent.
Use two-factor authentication for requests and use previously known numbers, not the numbers provided in the email request for phone verification.
A complete list of self-protection strategies is available on the United States Department of Justice website www.justice.gov in the publication titled “Best Practices for Victim Response and Reporting of Cyber Incidents.”
Cybersecurity is a threat that is here to stay as businesses and individuals increasingly rely on the internet and technology in all aspects of their lives. And while the threat is real and increasing, so is the education, resources and tools available to you to help detect and respond to cyber threats. Protecting your business and the sensitive information of your employees, customers and vendors is of critical importance in ensuring the long-term health and success of your business.
Cisco, “2017 Midyear Cybersecurity Report,” July 2017.
Federal Bureau of Investigation – Internet Crime Complaint Center (IC3), “Business E-mail Compromise E-mail Account Compromise The 5 Billion Dollar Scam, Public Service Announcement, https://www.ic3.gov/media/2017/170504.aspx, May 4, 2017.
IBM Security, “IBM X-Force Threat Intelligence Index 2017,” March 2017.