Cybercriminals have stolen $3.1 billion from businesses since January 2015 — not with high-tech ransomware or stealthy spyware, but rather with low-tech emails. The U.S. Federal Bureau of Investigation (FBI) refers to these attacks as Business Email Compromise (BEC) scams. Since January 2015, more than 22,000 businesses worldwide (including businesses in all 50 U.S. states) have reported falling victim to a BEC scam. There are likely many more businesses that were swindled but did not report it.
Although using emails is a low-tech approach to stealing money, these emails are well crafted. Each BEC email is polished and specific to the business being victimized. The cybercriminals spend a good deal of time creating each email in the hope that its legitimacy will not be questioned.
The cybercriminals behind the BEC scams are digital con-artists. Like regular con-artists, they first study their victims. They identify the individuals and information necessary to carry out the scams. As part of this research, the digital con-artists sometimes send out phishing emails that request details about the businesses or individuals being targeted. Alternatively, the phishing emails might install malware that obtains sensitive business information, such as financial account records. The cybercriminals also use social engineering techniques to get information. For instance, they might visit social media websites (e.g., LinkedIn, Facebook) or call the company.
After the digital con-artists have the information they need to scam a business, they create the BEC email. They try to get both the wording and graphical elements to look like a legitimate email from that business (or from an organization it does business with, such as a supplier). They know that the closer the match, the harder it will be to spot the scam.
When the FBI analyzed the reports of the 22,000+ BEC victims, it discovered that there were five main variations of the BEC scam:
Knowing about the five BEC scam variations is one of the best ways to avoid falling victim to them. Thus, you need to educate employees at all levels about the scam scenarios so they can spot BEC emails. In addition, employees should be taught how to spot phishing emails since cybercriminals will use them to gather information prior to creating the BEC emails.
Besides training employees, you should take the following measures to avoid being swindled by a BEC scam:
About CHIPS Computer Services
CHIPS Computer Services is an award winning Managed Services Provider specializing in help businesses increase efficiencies and profits by levering properly managed technology. To learn how CHIPS can help your business, email us at firstname.lastname@example.org to schedule no cost business assessment.