Business Email Compromise (BEC) is a type of scam targeting companies who conduct wire transfers and have suppliers abroad. Corporate or publicly available email accounts of executives or high-level employees related to finance or involved with wire transfer payments are either spoofed or compromised through keyloggers or phishing attacks to do fraudulent transfers, resulting in hundreds of thousands of dollars in losses. In 2016, BEC attacks led to an average of US$140,000 in losses for companies globally.
Formerly dubbed as Man-in-the-Email scams, BEC attackers rely heavily on social engineering tactics to trick unsuspecting employees and executives. Often, they impersonate CEO or any executive authorized to do wire transfers. In addition, fraudsters also carefully research and closely monitor their potential target victims and their organizations.
Some of the sample email messages have subjects containing words such as request, payment, transfer, and urgent, among others. Based on FBI, there are 5 types of BEC scams:
Because these scams do not have any malicious links or attachments, they can evade traditional solutions. Employee training and awareness can help enterprises spot this type of scam.