BEC: the often forgotten threat

Business email compromise (BEC)

BEC scams don’t often feature in the media “most likely because they’ve been around for years, aren’t advanced or sophisticated, and doesn’t sound all that newsworthy,” according to Ronnie Tokazowski, a senior malware analyst at Flashpoint.

BEC scams target organizations in the hope that they will compromise the email account of a victim and get personal data, payroll information, or funds. Attackers often pose as senior executives or even CEOs to spoof the victim and subsequently gain access. These scams are simple but effective.

BEC scams are increasing

According to the FBI, losses from BEC scams have increased more than 2,300% to $5.3 billion since 2015. These figures suggest that BEC scams could pose a larger threat than ransomware.

Special Agent Martin Licciardo at the FBI’s Washington field office said:

BEC is a serious threat on a global scale. And the criminal organizations that perpetrate these frauds are continually honing their techniques to exploit unsuspecting victims.

Tokazowski said:

One of the best ways to help protect organizations from this type of attack is to work with users and inform them of the threat.

When employees question requests received via email, we recommend following up with a confirmation phone call to avoid falling victim. More so when it comes to international transactions, especially if the email requests create a false sense of urgency.

BEC scams are on the increase and these findings reiterate the importance of remaining vigilant and educating employees. The simple nature of these attacks can cause maximum damage with minimal effort from the attackers, as it only takes one employee to fall victim and compromise your sensitive data.

Protect your organization and educate your staff 

No matter how effective your spam filter is, a spoof email could bypass it, making your organization’s staff the last line of defense against fraud. It is therefore vital that your staff are aware of the risks of phishing emails. eLearning courses are an efficient, cost-effective method of training all your staff with minimal disruption.

Our Phishing Staff Awareness Course gives your staff an introduction to understanding and spotting phishing scams, and helps reduce the chance that an employee will hand over confidential information or inadvertently infect your organization’s systems. The course helps employees identify phishing attacks, explains what would happen should they fall victim, and shows them how they can mitigate the threat of an attack.

Find out more >>