What are Business Compromise Scams (BEC) also known as CEO Frauds

Carefully selecting the target and aiming for higher returns on investment, even if you are a cyber criminal, is the biggest motive of a transaction. This phenomenon has started a new trend called BEC or Business Compromise Scam. This carefully executed scam involves the hacker using Social Engineering to ascertain the CEO or CFO of the target firm. The cybercriminals will then send across fraudulent emails, addressed from that particular senior management official, to employees in charge of finances. This will prompt some of them to initiate wire transfers.

business compromise scams

Business Compromise Scams

Instead of spending countless wasteful hours Phishing or spamming the company accounts and ending up with nothing, this technique seems to be working just fine for the hacker community, because even a small turnover results in hefty profits. A successful BEC attack is one that results in successful intrusion into the victim’s business system, unrestricted access to employee credentials, and substantial financial loss for the company.

Techniques of carrying out BEC Scams

  • Using enforcing or urging tone in the email to encourage a higher turnover of employees agreeing to the order without investigation. For instance, ‘I want you to transfer this amount to a client ASAP’, which includes command and financial urgency.
  • Email Spoofing actual email addresses by using domain names that are almost close to the real deal. For instance, using yah00 instead of yahoo is quite effective when the employee is not too insistent in checking the sender’s address.
  • Another major technique that cyber criminals use is the amount asked for wires transfers. The amount requested in the email should be in sync with the amount of authority the recipient has in the company. Higher amounts are expected to raise suspicion and escalation of the issue to the cyber cell.
  • Compromising business emails and then misusing the IDs.
  • Using custom signatures like ‘Sent from my iPad’ and ‘Sent from my iPhone’ that complement the fact that the sender doesn’t have required access to make the transaction.

Reasons why BEC is effective

Business Compromise Scams are carried out to target lower level employees in disguise of a senior employee. This plays on the sense of ‘fear‘ derived from natural subordination. The lower level employees will hence tend to be persistent towards completing, mostly without caring for intricate details at the risk of losing time. So, if they are working at an organization, it wouldn’t probably be a good idea to reject or delay an order from the boss. If the order does actually turn out to be true, the situation would be detrimental for the employee.

Another reason why it works is the element of urgency used by hackers. Adding a timeline to the email will divert the employee towards completing the task before he cares to check for details like sender authenticity.

Business Compromise Scams Statistics

  • BEC cases have been on the rise ever since they were discovered a few years ago. It has been found that all of the states in the US and over 79 countries worldwide have had corporations which have been successfully targeted with Business Compromise Scams.
  • In fact, within the last 4 years, over 17,500 corporations, specifically employees, have been subject to BEC targets and have ended up causing significant losses to the firm. The total loss from October 2013 till February 2016 adds up to around $2.3 billion.

Prevention of Business Compromise Scams

While there is no apparent cure to social engineering and hacking into the company’s systems with the access from an employee, there are certainly some ways to make the workers alert. All employees should be educated about these attacks and their general nature. They should be advised to regularly screen for any spoofing email addresses in their inbox. Apart from that, all such top level management orders should be verified with the authority via phone or personal contact. The company should encourage the double verification of data.

Posted by on , in Category Security with Tags

A constant learner of gadgets, Ankit has been writing about technology and the internet, in general, for the past three years, and has written for several well-known media outlets.