Preventing BEC Attacks: Fake Boss Scam

We previously wrote about the State of email-based Threats. Today we will be discussing a specific type of email attack. Business email compromise (BEC) attacks are common in today’s cybersecurity landscape. But how do BEC attacks work? Let’s dive into this and learn more. 

How do BEC attacks happen? 

The FBI defines 5 types of BEC scams, but we’re going to focus on one. The fake boss scam also known as the CEO scam or CEO fraud. This is where an attacker positions themselves as the CEO or an executive in a company. The attacker will target a finance department employee; sending an email requesting funds to be transferred to an account owned by the attacker. If successful, a bank transfer will result leading to loss of funds for the company. 

An attacker would execute a BEC attack in one of two ways: The attacker gains access to a real email account and uses that access to achieve their goal. Alternatively, an attacker will spoof an email account to look like a real email account. For example, bob@example.com might become bob@exampl.com. At first glance, this might appear to be a legit account, but on closer inspection you can notice the difference. 

An example of this type of scam comes from the toymaker Mattel, which lost $3 million. The CFO trusted an email claiming to be from her boss, the CEO asking to transfer funds to a new supplier. The transfer went to a bank in China that is regularly used by scammers funneling money from these types of scams. 

So, the bottom line is somebody is impersonating a boss or the CEO of an organization. Two variations of similar concepts. These attackers might acquire a similarly named domain name, or they might compromise an existing email account. Either way, the attacker is likely putting in a lot of research to understand the business. 

You may be wondering: how would an attacker get your email, anyway? The attacker starts by building an email list. An attacker will rely on data coming from multiple places. They could use data mining from LinkedIn profiles, sift through business email databases, or searching through websites for contact information. 

They might look on the company’s about us page; many companies publish their leadership details on these pages. They might do additional outside research trying to identify the reporting structure. This data might even be found in other compromised data. For example, a vendor might have their system compromised resulting in leaked data on your company. 

Is my business vulnerable to BEC attacks? 

As a business owner, you may be wondering if this kind of attack could occur to your company. Experts estimate that 65% of companies faced a BEC attack in 2020. These types of attacks are widespread, and the numbers are increasing every year. The likelihood that you will see this type of attack occur is extremely high. Small or midsize businesses (SMBs) are especially vulnerable to attacks. 60% of SMBs go out of business within 6 months of a breach. 

The question is, how do you protect yourself from this type of scam? There are several factors that can help here. This comes down to filtering email, good email practices, user training, and other security measures. Now let’s dive into how to prevent these types of scams in more detail. 

How can I prevent a BEC attack? 

Since BEC attacks can come from a variety of sources, there are multiple ways to defend for each. But there are some standard best practices used today which can significantly reduce the risk from a BEC attack. 

• Utilize an email banner for external email. One of the primary methods involve using a similarly named domain. Example.com becomes exampl.com. So, configuring your email system to attach a banner to these emails makes it glaringly obvious. This makes it almost impossible for users not to realize the email came from outside your company. 

• Setup Two-Factor Authentication. Computer systems are compromised every day. Experts agree that 2FA is the best way to prevent a compromise. Check out our guide on setting up 2FA authentication. 

• Implement a Cybersecurity Training program. Attackers rely on lack of user knowledge to gain access to systems. Cybersecurity awareness training is the best way to give users the knowledge they need to prevent a compromise. 

• Verify before sending any money. Attackers often rely on tactics like quick response and urgency to make an employee act without thinking. If a vendor or your boss is asking you to transfer money, verify with them by phone or face to face before complying. 

• Understand habits of coworkers and vendors. Everyone has standard procedures for certain activities. If the request seems out of the ordinary, there’s probably something wrong. Be sure to think before acting and perform some extra validation. 

BEC attacks can be extremely costly for a business. This article provides you with some basic understanding of a BEC attack and how to protect yourself. Reach out to our Pendello Solutions team today to learn more about how we can help you implement a solution against BEC attacks.