Business Email Compromise Scam (BEC Scam)
BEC Scams are becoming much more common and can take many different forms. They are primarily used to gain access to financial accounts – however can also be used to gain access to someone’s email account or other sensitive information. This type of scam is increasing in popularity and becoming more frequent as the payoff is greater for the cybercriminal.
There are many types of BEC Scams, however the two most common are:
- Credential Grabbing: This type of attack normally involves using keyloggers and phishing scams to steal the credentials used to access an individual’s email account. A keylogger is a malicious software that records your keystrokes on a computer – which could include your bank login, email credentials, etc. Keyloggers are typically installed by clicking a malicious link, visiting a compromised website or by exploiting a vulnerable application – usually in the form of outdated, unpatched software.
- Email only: This method is easier for the cybercriminal to achieve. This is typically done by sending a fake email appearing to come from the management team or other trusted source asking for confidential information.
At it’s core – a BEC Scam is a form of social engineering. Social Engineering is the ability to manipulate people into giving up confidential information or carrying out deceitful requests. Cybercriminals take advantage of our natural human nature to trust each other - making it easier for them to trick individuals into falling for their scams.
Spotting a BEC scam email
BEC scam emails most commonly request the following information:
- Wire transfers
- Change to their banking information
- Changes to the company’s electronic fund transfer accounts.
- The purchase of gift cards or pre-paid cards (with activation codes).
Other information to be cautious about which may not seem as suspicious could include:
- Employee information
- Tax information
- Vendor information
Responding to a BEC Scam email could put your organization’s money and sensitive information directly in the hands of a cybercriminal. Never respond to a suspicious email – even if it appears to come from a trusted source until you’ve either verified the request by phone or by email with the assumed sender.
How to prevent falling victim of a BEC scam
Being cautious and attentive when responding to emails or clicking links can greatly decrease your chances of falling victim of a BEC scam.
Every day, cybercriminals are becoming more sophisticated in their attempts. Never respond or confirm any requests by email. Even if the email appears to be legitimate and coming from a trusted source, assume that the email account may have been compromised. Always confirm any request for information or financial intent with the sender by phone or in person.
Finally – trust your gut. If something does not seem right or feels out of character, it probably is. Always think twice before completing any major action requested by email. Consider who is sending the email, what they are asking you to do and why they may be asking you to do their request.