Like a ghost, most business email compromise (BEC) scams are able to sneak through most technical defenses and end up in end-user inboxes.
Unlike regular phishing messages, BEC scams often do not have a ton of obvious signs of maliciousness. Many BEC scams only contain an invoice and maybe a phone number. There is no scammy-looking URL, scary language, or malicious document to download. With BEC scams, the best defenses are good policies and end-user education.
BEC scams have long been a big reason for cybersecurity financial losses, falling only behind ransomware in terms of total damage. The FBI stated that over a quarter of a million victims lost over $50B in 2022 alone. Some of the most tech savvy and sophisticated businesses have lost hundreds of millions of dollars to BEC scams.
Common examples of BEC scams include:
- Fake invoice asking for payment
- Mortgage loan recipient asked to send over an escrow payment to an unauthorized bank
- Accounts payable clerk asked to update regular payment instructions with new wiring information
- Boss supposedly asking for money or gift cards to be sent to satisfy some emergency business need
BEC scams can be very sophisticated. They can arrive from email addresses that belong to the normal and authorized requestor (because the requestor’s email account is compromised). They can refer to normal ongoing transactions and contain private details that only the normal recipients should be privy to. They can contain references to other people’s names who might be naturally involved, to give the recipient a feeling that the requestor is a knowledgeable insider. In fact, the only detail that may not be normal is the BEC request itself.
BEC Defenses
Organizations need to make it as hard as possible for a BEC to be successful by creating policies and procedures that prevent the fraudulent request from being performed. For example, if a requestor is asking for accounts payable or wiring instructions to be updated, the employee involved in making that change must be required, by policy, to verify the update request using a secondary, trusted channel. Perhaps the employee getting an email request to update payment instructions calls the other side using a known good phone number and talks to them to confirm the request.
As another example, suppose “a boss”, using email, requests an emergency payment that must be completed in order for an important pending business deal to go through. An organization with good anti-BEC policies will force the request to be confirmed by the employee calling and discussing with the real boss before the payment is made. The policy protects the company and the employee.
The idea is to use official policy to make BEC scams less likely to occur. Official policy also provides the employee with protection. For example, suppose the boss really did want the employee to buy 10 emergency gift cards. The boss would have to understand that the employee absolutely could not complete the request without confirming over the phone using a known good phone number. With official policy, the employee knows they will not be fired for at first delaying the boss’s request and the boss will have to understand why the employee delayed the request. Good policies protect the employee and the organization.
Education
Educate your employees who can be victimized by BEC scams. If the employee is authorized to spend money, buy things, pay invoices, update payment information, etc., they need to be made aware of BEC scams. They need to be provided with many common examples and be taught what to look out for.
You want your well-trained employee to be aware of BEC scams, know how to recognize them, know how to treat them, and know how to report. Part of that security awareness training should include simulated BEC scams to test how well your employees recognize and report them. Do not let the real BEC scammers be the only ones testing your employees.
If you do your policies and security awareness training well enough, you will prevent the Spooky Steves of the BEC world from getting through undetected.
KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Here's what you'll get:
