According to the FBI’s Internet Crime Complaint Center (IC3), Business Email Compromise (BEC) schemes have grown at a jaw-dropping rate of 2,370% since 2015.
With more than 40,000 domestic and international incidents, these types of scams have cost more than a staggering $5.3 billion in actual and attempted losses.
To help you keep one step ahead of this multi-billion-dollar threat, we put together a quick walkthrough of what a business email compromise is, how it works, and how you can best protect your organization.
What is a BEC attack?
A BEC attack begins with a cybercriminal hacking and spoofing emails to impersonate your company’s supervisors, CEO, or vendors.
Once in, they request a seemingly legitimate business payment. The email looks authentic, seems to come from a known authority figure, so the employee complies.
Typically, the fraudster will ask for money to be wired or checks to be deposited, whatever the usual business practice.
However, this scam has evolved not even to involve money. Instead, the same technique is used to steal employee’s personally identifiable information, or wage and tax forms (ex. W-2).
What can I do to stop an attack?
While some BEC attacks involve the use of malware, many rely on social engineering techniques, to which antivirus, spam filters, or email whitelisting are ineffective.
However, one of the most useful things you can do is to educate employees and deploy internal prevention techniques, especially for frontline staff who are most likely to be recipients of initial phishing attempts. Below are some self-protection strategies your business can employ:
- Avoid free web-based e-mail accounts. Establish a company domain name and use it to create company e-mail accounts in place of free, web-based accounts.
- Enable multi-factor authentication for business email accounts. This type of authentication requires multiple pieces of information to log in, such as a password and a dynamic pin, code, or biometric. Implementing multi-factor authentication makes it more difficult for a cybercriminal to gain access to employees’ email, making it harder to launch a BEC attack.
- Don’t open any email from unknown parties. If you do, do not click on links or open attachments as these often contain malware that accesses your computer system.
- Secure your domain. Domain spoofing uses slight variations in legitimate email addresses to deceive BEC victims. Registering domain names similar to yours will go far in protecting against the email spoofing at the heart of successful attacks.
- Double-check the sender’s email address. A spoofed email address often has an extension similar to the legitimate email address. For example, a fraudulent jsmith@abc_company.com instead of the legitimate [email protected].
- “Forward,” don’t “reply” to business emails. By forwarding the email, the correct email address has to be manually typed in or selected from the address book. Forwarding ensures you use the intended recipient’s correct e-mail address.
- Don’t overshare online. Be careful what you post on social media and company websites, especially job duties and descriptions, hierarchal information, and out-of-office details.
- Always verify before sending money or data. Make it standard operating procedure for employees to confirm email requests for a wire transfer or confidential information. Confirm face-to-face, or through a phone call using previously known numbers, not phone numbers provided in the email.
- Know your customers and vendors habits. If there’s a sudden change in business practices, beware. For example, if a business contact suddenly asks you to use their personal email address when all previous correspondence has been through company email, the request could be fraudulent. Verify the request through a different source.
BEC attacks aren’t as well-known as ransomware or other forms of cybercrime, but it’s nonetheless a very significant threat to organizations of all sizes.
Coupling email security measures with education and best practices can help your company avoid BEC attempts. However, if your business is targeted, remember to alert your financial institution and IT department immediately, and file a complaint with the IC3.
The case – BEC attack against Nikkei
The company has filed a damage report with investigative authorities in the US and Hong Kong.
The leading financial media organization in Japan and owner of the Financial Times Nikkei has admitted that it suffered an embarrassing Business Email Compromise (BEC) or commonly known as BEC attack.
What is Business Email Compromise (BEC)?
BEC is a scheme in which cyber criminals compromise email addresses of known people in the company to scam them into wiring a large sum of money to bank accounts owned by malicious elements or a scheme in which scammers send fake emails to convince victims into transferring a large sum of money into their bank account or wiring address.
BEC attack against Nikkei
The company released an official statement explaining that it lost $29 million in a cyber-fraud after an employee at its US subsidiary mistakenly transferred money following “fraudulent instructions by a malicious third party.”
Headquartered in Tokyo, Nikkei is a data provider, TB broadcaster, and newspaper firm.
As per the company’s official statement, the erroneous transfers took place in late September 2019 when a Nikkei America, Inc. employee transferred money to a scammer who claimed to be Nikkei management executive.
Approx. $29m were transferred from Nikkei America funds.
Nikkei America soon realized that they have become victims of cyber fraud.
The company has filed a damage report with investigative authorities in the US and Hong Kong, the destinations from where the fraud originated, after engaging lawyers in determining the hidden facts of the attack.
“Currently, we are taking immediate measures to preserve and recover the funds that have been transferred, and taking measures to fully cooperate with the investigations,” the company explained.
Nikkei isn’t the only bigwig in the list of firms that have been deceived into transferring huge sums of money to cybercriminals.
Previously the likes of Facebook and Google have also experienced the same.
In the incident, Google and Facebook were tricked by a Lithuanian man who impersonated as an employee of a famous Asian company. T
he scammer was using phishing emails to collect the details of wire transactions and other relevant details just to make his case more believable – In the end, he scammed both companies with $100 million.
It isn’t also the only Japanese firm to be targeted by cybercriminals as in 2008 Lehman Brothers sued Marubeni trading house for fraud of $352m.
The loss is definitely a big blow to Nikkei as the company is already experiencing a considerable decline in sales. Reportedly, in recent years it has recorded a 20% year-on-year decline in its net profit to £36m/¥5.1bn.
Nikkei, which is also responsible for the Nikkei 225 stock index, is taking necessary steps for recovering the lost funds.
The latest stream of cyber frauds reflects the way cybercriminals and scammers are employing rather sophisticated tactics to target international firms and successfully stealing large sums. It is worth noting that BEC attacks cost a combined loss of $1.3bn in 2019 to firms across the world.