16 Questions You MUST Ask Before Hiring Any IT Company
Endless amounts of ink have been spilled to analyze, dissect and report on the flood of ransomware attacks in the last few years. But ransomware is not the nastiest security threat that businesses face. There’s another category of cyberattack that has the potential to cause more trouble and do more damage than ransomware can: business email compromise (BEC). This stealth operator has been quietly thriving in ransomware’s shadow, putting it “out of sight out of mind” for many organizations. However, it should be on every IT professional’s radar because while BEC may not make headlines often, it’s certainly the biggest, worst threat on the block.
Business email compromise (BEC) sometimes called email account compromise (EAC)— is a phishing-based cyberattack that utilizes legitimate (or freshly stolen) email accounts from a seemingly trustworthy source to fraudulently acquire money, personal information, financial details, payments, credit card numbers and other data from a business. These scams can target businesses that use wire transfers, foreign suppliers, and other invoice transactions. They can also be perpetrated against employees to obtain data, access to assets, or money.
A business email compromise is not a one-size-fits-all proposition. It is especially tricky to spot because it is a scheme that can take many forms.
Urgent payment required scams
Fake invoice scams are the most common BEC variation. In this scenario, someone with the authority to pay vendors in an organization is sent a legitimate-looking invoice from a company that their organization does business with demanding immediate payment to avoid loss of goods or services.
Gift cards and wire transfers
Money is the goal behind BEC. Cybercriminals will often demand that payment for fraudulent reasons be transferred to them via wire transfer, cash app, or gift card. This is especially common in CEO fraud scenarios, where an employee is tricked through social engineering into transferring funds to someone posing as an executive of their company electronically or using a gift card. An estimated 62% of BEC scams involve cybercriminals asking for gift cards, cash app transfers, or money cards.
Credential compromise scams
In this BEC variant, fraudsters will ask for the victim to provide credentials for a business account or access to a company’s systems or data, often on the pretense that they’ve misplaced credentials or weren’t given the right ones to complete a task. This is the scenario used in the 2020 Twitter hack when a bad actor contacted Twitter for system credentials while pretending to be a repair specialist.
BEC is a constant menace, but it can be tricky to spot because it can take many forms, although employees are most likely to encounter it through phishing. These examples of BEC attacks can help illustrate what a BEC attack might look like in the wild.
BEC is not a threat that anyone should underestimate, and it has the potential to do much more damage in many ways than other cyberattacks like ransomware. The potential for huge profit is a big enticement for ransomware gangs to convert their operations to BEC. In fact, the U.S. Federal Bureau of Investigation Internet Crime Complaint Center (FBI IC3) declared that when estimated yearly losses between those two cyberattacks were compared, BEC turned out to be 64x worse than ransomware for a company’s finances.
The 2021 IC3 Internet Crime Report, makes it clear: BEC remains the reigning champion of risks, In the U.S., BEC schemes were the costliest cybercrimes reported to IC3 in 2020 and 2021, and that’s not expected to change in 2022. In fact, BEC rose substantially in 2021. In 2020, BEC clocked in at 19,369 complaints with an adjusted loss of approximately $1.8 billion. But for 2021 those loss numbers climbed significantly. The BEC category showed that complainants to IC3 suffered $2,395,953,296 in losses in 2021, a whopping 28% higher than 2020’s record total of $1,866,642,107, with 3% more total BEC complaints.
Source: ID Agent