May 19 – In recent years, enterprises have seen an alarming surge in business email compromise (BEC) attacks. These threats increased by 38% across the past four years, and the U.S. Federal Bureau of Investigation reported that corresponding losses in 2022 exceeded $590 million.

Research conducted across the past few months indicates that business email compromise attempts are becoming increasingly sophisticated. By purchasing an IP address that matches a victim’s location, attackers can now hide their origins, rendering it particularly challenging for professionals to track and attribute BEC activities.

What is a BEC scam?

Typically, the success of BEC scams depends on compromising the email accounts of people working within the target organization. This enables the scammers to silently observe communications and to identify opportunities in which to insert themselves.

When the time is ‘right’, the fraudsters send an email from a compromised user account, requesting for the accounting department to make changes to a bank transfer.

In some cases, scammers impersonate a contractor and suddenly demand a payment for services, or a scammer impersonates a CEO in order to instruct accountants to make an urgent transfer.

BEC scams information

Earlier this year, Europol dismantled a ‘CEO fraud’ group that leveraged business email compromise to steal €38 million within just a few days.

The scammers impersonated CEOs as they virtually communicated with targets working in organizations’ financial departments. Employees were tricked into providing payments to bank accounts that were under the scammers’ control. The money was quickly moved across multiple countries.

According to Microsoft, evolution of the cyber crime economy could result in hackers’ use of residential IP addresses to evade detection.

Actionable prevention measures

Take proactive measures to combat BEC scams. Be sure that your organization:

• Maximizes security settings in email systems (enabling notifications for unverified email senders and blocking suspicious identities)
• Has strong authentication mechanisms in place, such as multi-factor authentication and passwordless technology
• Invests in employee training so that employees can recognize signs of BEC attacks and can stop them before they cause damage
• Always places a phone call to the source of an email (using a phone number listed in your organization’s CRM) ahead of agreeing to a financial transaction

Get more of the latest insights into email security here.Or check out our BEC 3.0 video, below:

Lastly, to receive more cutting-edge cyber security news, best practices and analyses, please sign up for the CyberTalk.org newsletter.