BEC attacks are a type of specialist phishing attack where a hacker impersonates a credible individual's email in order to make a transaction. Learn the types of BEC attacks and best practices to protect your business.
According to the FBI, Business Email Compromise attacks, also known as BEC attacks, are one of the most financially damaging forms of cybercrime. In fact the average wire transfer loss from BEC attacks in the second quarter of 2020 shot up to over $80,000, up from $54,000 in the first quarter.
BEC attacks are defines as a specialist type of phishing attack during which cyber attackers spoof or already have access to a credible email with the goal of performing a fraudulent transfer. These attacks fundamentally rely on social engineering tactics designed to trick, pressure, or coerce employees into giving hackers access to financial information.
For example, a cyber attacker uses a keylogger to figure out the CEO’s email password. They login as the CEO and send an email to the company’s accountant telling them to make a time-sensitive wire transfer to a fraudulent destination. Because it’s coming from the CEO’s email address, the accountant thinks it is legitimate and makes the transaction, and the company loses x amount of dollars.
According to the FBI’s website, cybercriminals typically conduct BEC attacks through 3 methods:
Because BEC attacks fundamentally rely on social engineering tactics, the best way to protect against such attacks is to strengthen the last line of defense – the human element, or in this case, employees. As long as businesses are diligent about employee cyber awareness and cybersecurity training, BEC attacks are actually the most straightforward attacks to prevent and don’t require expensive firewalls and IT solutions. Here are some simple and actionable steps business owners can take to protect themselves.
The age-old proverb, ‘An ounce of prevention is worth a pound of cure,’ applies well to cybersecurity. The best thing for SMBs to do is to proactively educate their employees on cyber threats rather than starting after a damaging attack has already occurred. This will also help foster a culture of security, which will help protect your business from other forms of attacks as well.