The Windows Club

What are Business Compromise Scams (BEC) also known as CEO Frauds

Carefully selecting the target and aiming for higher returns on investment, even if you are a cyber criminal, is the biggest motive of a transaction. This phenomenon has started a new trend called BEC or Business Compromise Scam. This carefully executed scam involves the hacker using Social Engineering to ascertain the CEO or CFO of the target firm. The cybercriminals will then send across fraudulent emails, addressed from that particular senior management official, to employees in charge of finances. This will prompt some of them to initiate wire transfers.

Business Compromise Scams

Instead of spending countless wasteful hours Phishing or spamming the company accounts and ending up with nothing, this technique seems to be working just fine for the hacker community, because even a small turnover results in hefty profits. A successful BEC attack is one that results in successful intrusion into the victim’s business system, unrestricted access to employee credentials, and substantial financial loss for the company.

Techniques of carrying out BEC Scams

Reasons why BEC is effective

Business Compromise Scams are carried out to target lower level employees in disguise of a senior employee. This plays on the sense of ‘fear‘ derived from natural subordination. The lower level employees will hence tend to be persistent towards completing, mostly without caring for intricate details at the risk of losing time. So, if they are working at an organization, it wouldn’t probably be a good idea to reject or delay an order from the boss. If the order does actually turn out to be true, the situation would be detrimental for the employee.

Another reason why it works is the element of urgency used by hackers. Adding a timeline to the email will divert the employee towards completing the task before he cares to check for details like sender authenticity.

Business Compromise Scams Statistics

Prevention of Business Compromise Scams

While there is no apparent cure to social engineering and hacking into the company’s systems with the access from an employee, there are certainly some ways to make the workers alert. All employees should be educated about these attacks and their general nature. They should be advised to regularly screen for any spoofing email addresses in their inbox. Apart from that, all such top level management orders should be verified with the authority via phone or personal contact. The company should encourage the double verification of data.