In an era rife with data breaches and cybersecurity incidents, business email compromise (BEC) scams can be some of the most financially damaging cybercrimes. FBI data revealed that BEC incidents accounted for $51 billion in losses between 2013 – 2022.
Although these breaches are becoming more frequent, businesses should not lose sight of their seriousness or the importance of a robust cybersecurity strategy.
The Rise of Business Email Compromise
Business email compromise, also commonly known as email account compromise (EAC), is gaining in popularity due to its effectiveness. These cybercrimes involve deceiving people or organizations into transferring money or sharing sensitive information via email. BEC scams are a type of phishing attack that can be financially damaging and affect organizations of all sizes and sectors.
BEC attacks often involve impersonating other users, such as a CFO, and spoofing email addresses by changing a single letter, symbol or number, while giving instructions to wire money to the perpetrator's account. Attackers typically gain access to a company email account and send emails to specific contacts to persuade them to send funds or provide information that can later be exploited. The targeted user is misled into interacting with what appears to be a legitimate contact, either through a similar-looking domain or a familiar display name.
Real-World Example of Business Email Compromise Scenarios
BEC attacks are meticulously planned and executed, often targeting specific individuals within an organization who have access to sensitive information or financial resources.
One common example of a BEC attack involves a company's billing manager. The attack begins with the billing manager receiving a phishing email from what appears to be a trusted source. The email contains a link to a fraudulent website designed to look like a legitimate login page. Unaware of the deception, the billing manager enters their password on the fake site, inadvertently giving the cybercriminal access to their email account.
With control of the billing manager's email account, the attacker can send emails to the company's clients. These emails instruct clients to wire money to a "new account," which is the cybercriminal's overseas account. The emails are crafted to look authentic, often using the company's branding and language to avoid raising suspicion. Clients, believing the request to be legitimate, follow the instructions and transfer funds to the criminal's account.
This fraudulent activity can continue for a while before the billing manager, or the clients realize something is amiss. By the time the deception is uncovered, the money transferred to the fake account is typically irretrievably lost. The financial impact on the company can be significant, and the damage to its reputation can be long-lasting.
BEC attacks are effective because they exploit the trust and familiarity inherent in business communications. By impersonating a trusted colleague or using a similar-looking email address, attackers can deceive their targets into taking actions they would not normally consider. This highlights the importance of robust cybersecurity measures, employee training and vigilant monitoring to detect and prevent such attacks.
Counting the Cost: The Financial Impact of Business Email Compromise
According to the FBI’s Internet Crime Complaint Center (IC3) there was a 17% increase in identified BEC losses globally from December 2021 to December 2022. Cybercriminals succeed by making their messages appear as though they are from a "trusted source," which often causes recipients to lower their guard when dealing with these communications.
According to Infosecurity Magazine, artificial intelligence (AI)-powered business email compromise scams are increasingly targeting manufacturers, now accounting for over half of all phishing attempts, according to Vipre Security Group. The Email Threat Trends Report: Q3 2024 revealed that 12% of the 1.8 billion emails processed globally were malicious, with BEC making up 58% of phishing attempts.
Manufacturers are particularly vulnerable, with 10% of emails in this sector being BEC attempts, up from just 2% in Q1 2024. These attacks frequently involved impersonating high-ranking individuals and are crafted using generative AI, making them more sophisticated and harder to detect. The report also highlighted the use of URL redirects and malicious attachments to evade security controls and trick users.
To combat this challenge, ensure your organization has a well-developed AI risk management program and implementation strategy, starting with a thorough risk assessment and data and security management practice to combat AI cyber risks.
The financial impact of BEC attacks can be devastating for organizations of all sizes. The funds lost in these scams are often irretrievable, especially when transferred to overseas accounts. Additionally, the indirect costs, such as the time and resources spent on recovery and the potential loss of business due to damaged trust, can further compound the financial burden.
Moreover, the psychological impact on employees who fall victim to these frauds can be significant. They may feel a sense of guilt or responsibility for the breach, which can affect their morale and productivity. This underscores the importance of regular training and awareness programs to help employees recognize and respond to potential BEC threats.
The cost of falling prey to BEC is multifaceted, encompassing direct financial losses, indirect costs and psychological impacts. Organizations must remain vigilant and proactive in their cybersecurity efforts to mitigate these risks and protect their assets and reputation.
Protecting Against BECs
There are measures companies can take to prevent BEC scams and being part of the next wave of statistics. While there are many technical and monitoring controls that can be put in place at the system level, such as email scanning and spoofing detection, companies should focus on training employees to detect fraudulent emails. Organizations can implement simple tips to avoid cyber threats, including:
- Avoid clicking on unsolicited messages (emails, texts, IMs, etc.) asking you to update or verify your account information.
- Always double-check email addresses, website URLs and spelling in any communications. Scammers often use slight differences to trick you into believing you are communicating with a trusted person.
- Never open an email attachment from someone you do not know, and be cautious of attachments that are forwarded to you.
- Set up multi-factor authentication (MFA) on all accounts that allow it and never disable it for ease-of-use issues. Cybercriminals are counting on you to do that.
- Verify payment and purchase requests in person or by calling the person to ensure their legitimacy.
- Be especially suspicious of any requestor asking you to act quickly.
If an email seems suspicious, or if you believe you may have accidentally fallen for a similar scam, alert your information technology (IT) or security team immediately.
The best way to avoid falling victim to cyber threats is to always be vigilant and never let your guard down. If a message seems suspicious, it should be treated with caution. Companies should ensure that they regularly train their employees and keep them updated on the latest cybersecurity events.
How Cherry Bekaert Can Help
Cherry Bekaert’s Virtual Chief Information Officer (VCISO) services can assist with monitoring and training to ensure the company has the proper knowledge and controls. Our Information Assurance and Cybersecurity practice can also review existing IT policies and procedures or perform phishing tests to simulate a BEC to test how users will respond. This will help to ensure the company has the foundation to sufficiently safeguard itself during turbulent times.
To discuss how Cherry Bekaert can help protect your company against increasingly sophisticated cyber threats, please contact our Cybersecurity and IT Security team today or reach out to your Cherry Bekaert advisor.
Related Insights
- Article: How to Craft a Proactive Generative AI Strategy To Manage Cybersecurity Risks
- Article: Revolutionize ERP with Artificial Intelligence
- Article: Artificial Intelligence Is Changing How Companies Operate
- Article: How to Succeed at AI Strategy and Implementation: The 5 Questions Every Company Needs Answered
