Endless amounts of ink have been spilled to analyze, dissect and report on the flood of ransomware attacks in the last few years. But ransomware is not the nastiest security threat that businesses face. There’s another category of cyberattack that has the potential to cause more trouble and do more damage than ransomware can: business email compromise (BEC). This stealth operator has been quietly thriving in ransomware’s shadow, putting it “out of sight out of mind” for many organizations. However, it should be on every IT professional’s radar because while BEC may not make headlines often, it’s certainly the biggest, worst threat on the block.

Business email compromise (BEC) sometimes called email account compromise (EAC)— is a phishing-based cyberattack that utilizes legitimate (or freshly stolen) email accounts from a seemingly trustworthy source to fraudulently acquire money, personal information, financial details, payments, credit card numbers and other data from a business. These scams can target businesses that use wire transfers, foreign suppliers, and other invoice transactions. They can also be perpetrated against employees to obtain data, access to assets, or money.

What Are Some Business Email Compromise Varieties?

A business email compromise is not a one-size-fits-all proposition. It is especially tricky to spot because it is a scheme that can take many forms.

Urgent payment required scams 

Fake invoice scams are the most common BEC variation. In this scenario, someone with the authority to pay vendors in an organization is sent a legitimate-looking invoice from a company that their organization does business with demanding immediate payment to avoid loss of goods or services.

Gift cards and wire transfers 

Money is the goal behind BEC. Cybercriminals will often demand that payment for fraudulent reasons be transferred to them via wire transfer, cash app, or gift card. This is especially common in CEO fraud scenarios, where an employee is tricked through social engineering into transferring funds to someone posing as an executive of their company electronically or using a gift card. An estimated 62% of BEC scams involve cybercriminals asking for gift cards, cash app transfers, or money cards.

Credential compromise scams 

In this BEC variant, fraudsters will ask for the victim to provide credentials for a business account or access to a company’s systems or data, often on the pretense that they’ve misplaced credentials or weren’t given the right ones to complete a task. This is the scenario used in the 2020 Twitter hack when a bad actor contacted Twitter for system credentials while pretending to be a repair specialist.

BEC Happens All the Time

BEC is a constant menace, but it can be tricky to spot because it can take many forms, although employees are most likely to encounter it through phishing. These examples of BEC attacks can help illustrate what a BEC attack might look like in the wild.

• Just this week, we reported on a business email compromise incident that impacted the city of Portland, Oregon. City officials say that cybercriminals gained access to a city email account illegally. The account compromise was detected in May 2022 when the account attempted a transfer of funds. However, major damage had already been done. The bad guys had already shored a nice payday, successfully completed a $1.4 million fraudulent transaction to pay themselves with city funds in April 2022.

• An average employee at an Iowa company received emails that appeared to be from their contact at a legitimate Texas company that the Iowa firm did business with regularly. In these falsified messages, the Texas company billed the Iowa company for a legitimate outstanding invoice that was due for payment. But the message also told the Iowa company that the Texas company’s banking information had changed, and payment needed to be sent to a new account. The Iowa company ultimately made two wire transfers totaling more than $265,000 before anyone at either company discovered that they’d been victimized in a BEC scam.
• The Town of Peterborough, New Hampshire, lost $2.3 million after scammers tricked town employees into sending large payments to the wrong accounts. After the local school system complained that it had not received the funds that had been earmarked for it, investigators discovered that scammers had used spoofed email accounts and forged documents to redirect the town’s payment to accounts under their control. Several other payments to municipal departments and contractors had also been snatched by the same cybercriminals. The total loss to the town was $2.3 million almost 15% of its yearly budget.

BEC is 64x Worse Than Ransomware

BEC is not a threat that anyone should underestimate, and it has the potential to do much more damage in many ways than other cyberattacks like ransomware. The potential for huge profit is a big enticement for ransomware gangs to convert their operations to BEC. In fact, the U.S. Federal Bureau of Investigation Internet Crime Complaint Center (FBI IC3) declared that when estimated yearly losses between those two cyberattacks were compared, BEC turned out to be 64x worse than ransomware for a company’s finances.

The 2021 IC3 Internet Crime Report, makes it clear: BEC remains the reigning champion of risks, In the U.S., BEC schemes were the costliest cybercrimes reported to IC3 in 2020 and 2021, and that’s not expected to change in 2022. In fact, BEC rose substantially in 2021. In 2020, BEC clocked in at 19,369 complaints with an adjusted loss of approximately $1.8 billion. But for 2021 those loss numbers climbed significantly. The BEC category showed that complainants to IC3 suffered $2,395,953,296 in losses in 2021, a whopping 28% higher than 2020’s record total of $1,866,642,107, with 3% more total BEC complaints.

Source: ID Agent