In this insight, we look at what BEC campaigns are, their characteristics, together with what businesses can do to protect themselves from the threat of BEC campaigns.
What Is A BEC Campaign?
A business email compromise (BEC) campaign is a kind of text-based, impersonation, social engineering scam where, in most cases, the victim is forwarded an email threat that appears to originate from their boss. The email is given legitimacy by appearing to be a thread between a partner company, a customer, or an organisation in the supply chain so that it will be recognised by the target. The email instructs the victim, e.g. someone in the finance department of the business to transfer funds (wire transfer / BACs payment) into an account which is actually that of the scammers.
In the US, for example, the FBI has defined 5 main types of BEC campaign, which are:
- CEO Fraud: The attackers impersonate the CEO or an executive at the company and target an individual in the finance department.
- Account Compromise: This is where an employee’s email account is hacked/compromised and used to request payments.
- False Invoice Scheme: Mostly targeting foreign suppliers, this method sees the scammer impersonating a supplier to request fund transfers to fraudulent accounts.
- Attorney (Lawyer) Impersonation: As the name suggests, the attacker impersonates a lawyer or legal representative, targeting, for example, lower-level employees because they may be more unlikely to question the validity of the request.
- Data Theft: Targeting HR employees, the motive is to obtain personal or sensitive information about company personnel, e.g. CEOs and executives that can be used as part of future attacks (such as CEO Fraud).
Sometimes Uses Domain Spoofing
BEC campaigns also sometimes use domain spoofing and lookalike domains to trick the targeted employees.
EAC Often Related To BEC
It is often the case that email account compromise (EAC) enables the BEC, i.e. gaining control of a legitimate company email account makes it possible to launch convincing BEC campaigns.
Difficult To Detect
One reason why BEC campaigns are so difficult to detect, e.g. using antivirus, is because they don’t often contain red flags such as malicious links or attachments.
How To Guard Against BEC Campaigns
Some ways that businesses can defend themselves against the threat of BEC campaigns include:
- Briefing and training staff about the nature of the threat and the different types of well-known BEC campaigns. For example, staff should be informed of the indicators of a possible BEC campaign, e.g. high-level company executives asking for unusual information, being asked not to communicate with others about requests, any requests that would bypass the usual channels, spelling and grammar inaccuracies in the emails, and email domains and “Reply To” addresses that don’t match sender’s addresses.
- Ensure that company email security is robust, and that staff are aware of how to avoid risky behaviour with emails, e.g. clicking on unusual links, downloading attachments, or password sharing.
- Encouraging employees to trust their instincts and, if they have the slightest doubt, let them know that it’s OK to seek help and advice. Attackers often rely upon targeting victims at busy times of the day and making requests sound very urgent, so employees need to know that stopping to check and slowing things down is a good idea.
- Having a clear, blanket procedure in place for any such requests that seeks verification from designated managers who are well-informed about this type of fraud and have the confidence and authority to check and challenge.
What Does This Mean For Your Business?
Since this type of campaign is difficult to spot with automated solutions (e.g. antivirus) and relies upon human error to work, a human-centred approach to protection, such as employee training and the communication of clear blanket policies about this type of question/request/instruction that prevent any circumvention are a wise move for businesses.
As with all social engineering, the criminals are using methods designed to suspend normal judgement, and force an emotional reaction before reasoned, critical decision-making can happen. Really knowing the signs (through training), slowing things down, feeling as though they will be supported by managers, and not being afraid to ask others and stick to the policy are ways in which staff can be empowered to defend the company’s security in the face of the threat of BEC campaigns.
By Mike Knight