We all know that for the most part, that E-Mail is still one of the most favored means by which the Cyber attacker can launch their threats. Really in the end, it is been one of the longest lasting tools used by them.
For example, when we log into our E-Mail, whether it is for personal or professional reasons, we are always warned to not to download any suspicious attachments, watch for the usual telltale signs of the traditional Phishing E-Mail (such as the hard to see typos, weird subject lines, etc.).
We are also warned all the time to confirm the origination of the E-Mail if we are uncertain of the sender. In these particular instances, the Cyber attacker often takes over the address book of the victim, and sends out Phishing based E-Mails from a hijacked contact name in that address book. Yep, it keeps going on and on.
But now, there is a new form of threat coming out with regards to E-Mails, and that is known technically as “Business E-Mail Compromise”, or “BEC” for short. What is it you may be wondering? Well, a technical definition of it is as follows:
“A business email compromise (BEC) is an exploit in which the attacker gains access to a corporate email account and spoofs the owner’s identity to defraud the company or its employees, customers or partners of money. In some cases, an attacker simply creates an account with an email address that is very similar to one on the corporate network. BEC are also referred to as man-in-the email attacks.”
So there you have it. The definition says it all. The only differences are that no malicious attachment is ever sent, and the coined up new term of for it. In the end, it is the principals of Social Engineering which is used to carry out these kinds of attacks, preying upon the fear of the innocent victim.
In fact, here are some alarming statistics from a report entitled “Behind the ‘From’ Lines: Email Fraud on a Global Scale, published by Agari and made public at the FS-ISAC 2018 Annual Summit”:
*24% of all Cyber attacks are now BEC related.
*BEC attacks produces more victims and results in higher dollar losses than any other criminal E-Mail attack.
*BEC attacks are also ten times more likely to produce a victim if he or she answers an initial probe email, such as “Are you at your desk to make a payment?”
*BEC losses increased to $675 million so far in 2018, more than 300 percent compared to $215 million in 2014.
*Criminal email accounts request payment (from a BEC) ranges anywhere from $1,500 to more than $200,000, with an average request being that of $35,500.
*Romance related scams accounted for 11 percent of all BEC attacks.
*American businesses are far more likely to be attacked by BEC scammers operating from Africa.
These are truly stark figures, and are only going to get worse as time goes on. If you think about it, there is no type or kind of security technology that can prevent this kind of threat from happening. Any business or corporation can install the latest firewalls, routers, AI tools, network intrusion detectors, etc. but how is that going to prevent an administrative assistant from unwittingly transferring thousands, if not millions of $$$ to her supposed boss (who is really the BEC scammer)?
The only line of defense is once again, is employee education. It is not enough now to just teach them what a Phishing E-Mail looks like, but also now what a BEC E-mail looks like, or for that matter, what a BEC based phone call sounds like. The key thing to teach your employees is that if they ever receive an E-Mail for a phone call to always confirm with their higher ups about the authenticity and the legitimacy of them.
As this quote so eloquently sums it up: “Business email compromise has become a pervasive threat – it is the most popular, the most effective, and the most damaging of all of the attacks we research . . . These organized crime groups will not stop these attacks.” (SOURCE: https://www.scmagazine.com/email-fraud-still-a-substantial-threat-to-business/article/768376/).