BEC – How Cyber-Attackers Can Rip Off Your Company

ic3We warned our readers about the FBI alert regarding the Business Email Compromise scam on July 6.  Cyber-criminals have successfully bilked US companies of over 3 billion dollars since January 2015.  Typically this exploit starts by the attacker gaining knowledge of the CEO’s or other highly placed executive’s user credentials to their email account.  This is most often done using a spearphishing email, but could also be accomplished over the telephone by posing as “Pete from IT” or some other impersonation.

Getting into anybody’s email account gives an attacker a deeply personal inside look at the victim’s contacts, clients, customers, coworkers, and business partners.  The attacker can find out where you shop, what websites you visit online, your personal habits, and even dirty little secrets such as that affair you are having with your operations manager.  The attacker can get into your calendar and see your appointments and travel plans.

There are five variations that the cyber-criminals use to transfer large sums of money to bank accounts they control.

  • Posing as a C-level executive, the cyber-criminal requests a wire transfer.  This exploit often happens when the executive is traveling.  The victim’s email account is hijacked and then used to send an email requesting a wire transfer. Typically, the email is sent to the CFO, accountant, bookkeeper, or other employee responsible for managing the bank accounts. Sometimes, the email is sent directly to the bank.
  • Posing as a vendor or business partner, the cyber-criminal sends an invoice for payment. The attacker will usually select a supplier that the business has used for a long time. The attacker will use various social engineering tricks to discover who is responsible for accounts payable.  The cyber-criminal will send a legitimate-looking invoice, with wire transfer instructions to send the payment to a bank controlled by the attacker. Sometimes this exploit uses a phone call or fax instead of email.
  • Posing as an employee, the attacker sends invoices to customers.  After identifying the accounts receivable specialist at the victim business, the cyber-criminal hijacks that employee’s company or personal email account, using it to send invoices to customers. This scam is works best when employees use their personal email accounts for work and they have the customers in their contact list.
  • Again, posing as a business executive, the cyber-criminal asks for employees’ personal information. In this variation, the attacker sends an email to Human Resources. This variation of the scam targets employees’ W-2 tax information, and usually is used to generate fraudulent tax refunds.
  • Posing as a lawyer or law firm representative, the cyber-criminal requests a fund transfer. The attacker emails or calls an executive or another employee at the victim, claiming to be handling confidential or time-sensitive legal matters. The cyber-criminal pressures the person into transferring funds quickly or secretively.

The best way to defend against these sophisticated confidence games are:

  • Confirm all requests for wire transfer of funds.  If the CEO just sent you an email claiming to need $2.5 million to purchase a factory in China, give the big guy a call to verify before sending the money.  The same goes for invoices, especially if they are unusually large or different than normal.  Confirm all changes in bank routing information for long time suppliers by phone.
  • Do not use free web-mail accounts such as Yahoo, Gmail, or for your business.  These are very easy to spoof using an email account that is just slightly different than your real account.  If you have a domain name registered for your web site (you do have a web site?), then you should be using domain name based business email accounts for yourself and your employees.
  • Use two-factor authentication for email accounts.  That way if you give up your password, the attacker will need your the one-time passcode on your smartphone too.
  • Get cybersecurity awareness training for your staff, covering typical exploits, phishing, social engineering, and specifically focusing on this particular exploit.
  • Ask your employees to maintain business confidentiality on their social networks.  A lot of information that should not be on the web can end up in Facebook.  Have them think before they post.
  • Be sensitive to the information you post on your company website.  The usual brag pages about who your biggest clients or most important business partners can provide information the attacker can use in crafting this exploit.

These useful tips should help you to avoid fall for this scam.  Make sure everyone in your company is aware of this exploit, because the cyber-criminals are out there and looking for another victim.  Let’s make sure you are not the next one..


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.