Business Email Compromise (BEC) Fraud Awareness
Business Email Compromise (BEC) scams are a specific type of crime that rely on social engineering tools (like phishing) for tricking targeted employees / staff into believing and acting in a certain way.
False Invoice Scam: The phisher pretends to be a legitimate vendor requesting payment for services performed for the company but changes the bank account information to an account controlled by them.
CEO Fraud: The attacker sends an email, supposedly from the CEO / Senior Management instructing the recipient to take some business action.
Account Compromise: This attack takes advantage of a compromised email account within an organization. With this access, the attacker requests invoice payments from customers while changing the payment details to those of the attacker.
Employee Data Theft: This type of attack targets HR and Finance personnel and attempts to steal sensitive information about an organization’s employees.
Please Note: BEC relies on the ability to impersonate someone with power within a company or a trusted external partner and convinces the target to send money to the attacker, while believing that they are performing a legitimate business transaction.
Sample of a phishing email under BEC Scam:
Here are a few suggested fraud prevention tips and best practices:
- Educate yourself and your employees on BEC scams
- Do take a minute to go through security advisories issued by your company from time to time
- Create intrusion detection system rules that can flag e-mails with extensions that are similar to legitimate company e-mail IDs
- Don’t switch payment methods, without multiple sources of confirmation. Confirm requests for change in banking details or transfers of funds by adding an additional two-factor authentication (2FA).
- When using phone verification as part of 2FA, use previously registered and known numbers, not numbers provided in the e-mail requesting the change.
- Use a secondary checker and sign-off by another company personnel
