Skip to main content

Inside cybercrime: Business email compromise

Don’t compromise security for convenience

share arrow printer bookmark flag

December 16, 2022

Criminals and scammers are constantly modifying their tactics to take advantage of changes in technology and human behavior.

Our ever-increasing reliance on electronic communications, combined with the fast-paced nature of modern business practices, can put us at significant risk of exploitation at work.

We likely have seen this evolve in our personal lives, with scammer text messages, emails and phone calls.

Business-related fraud, however, due to the scale of financial losses, the volume of sensitive data and the potential reputational harm, can be most costly.

Scammer tactics
A technique that many criminals use is called social engineering – which can be described as the art of manipulating people, typically through deception, into divulging confidential information, or obtaining money.

Phishing is another tactic criminals employ to deceive people in order to let their guard down.

Phishing is a type of social engineering in which the criminal sends a fraudulent message designed to trick the recipient into revealing sensitive information.

Studies suggest that together, social engineering and phishing attacks account for 70-90% of successful data breaches.
When criminals employ these techniques, it is referred to as a Business Email Compromise or BEC. 

These types of scams are particularly effective because they seem legitimate.  

Unlike other unsophisticated scams, BEC emails often involve “hacked” email systems, making them appear to come from a legitimate sender.

Oftentimes, the sender is a familiar contact, such as a company executive or trusted vendor.

And frequently there is an added urgency to the request, which is a hallmark of social engineering tactics.

Exploiting human behavior
Human behavior is the weakest link in the cybersecurity chain.

Criminals thrive when they are able to create chaos, whether real or perceived, and they exploit two elements of human behavior to accomplish this goal – people’s tendency to want to be helpful and a person’s strong emotional response to fear or uncertainty.

Imagine this scenario: Company A’s human resources administrator receives an email that appears to come from the company’s CEO advising there is an active criminal investigation into several employees.

The CEO requests sensitive personal identifying information about various employees, under the guise of assisting law enforcement with the investigation.

The CEO stresses confidentiality and that the information is to be emailed directly to them, without notifying anyone else.

Or this one: A business receives a fax claiming to be from Company B, who they have done business with previously.
  
Because Company B hadn’t ordered for a while, their credit line had been reduced and the business required a new credit application.

The customer submitted a new application with the names of three representatives from Company B, along with their corresponding social security numbers.

Based on that information, a credit check was run and the legitimate business approved the new line of credit.

They conducted business with Company B, and over several months, Company B ordered almost $40,000 worth of products.  
No payments were ever made.

In both scenarios, criminals took advantage of human behavior to bypass procedures for the sake of accommodation and convenience.

In the first scenario, criminals were able to spoof the CEO’s email address and convince the HR administrator to send protected information, including birthdates, social security numbers and other sensitive data.

In the second case, when the business contacted the real Company B, they advised there was no record of any employees by the names provided.  

Further investigation also determined the address the business was shipping the product to, was a storage unit and not the legitimate company.

Why were these cyber-attacks successful?
The criminals were able to exploit human behavior.

Whether they were just trying to be helpful or had fallen into complacency, the victims failed to question deviations from normal practices and did not scrutinize the anomalies.

For example, a close look at the attacker’s email address from the second scenario revealed that it came from “billstrut.com,” and not “billtrust.com.” 

Phishing and social engineering attacks continue to become more sophisticated, typically targeting officers of a company, or people with an emotional connection to the success of the business.

The criminal’s goal is to make you feel a sense of urgency and willingness to help, therefore tricking you into divulging confidential information or circumventing procedures.

For those in the corporate world, education and regular training, not just awareness, is crucial because of the enormous exposure risk (information, access to funds).

To help prevent yourself from falling victim to a BEC scam, consider these suggestions:
Never be pressured into circumventing policies or procedures for an “emergency.”Verify anomalies or exceptions with supervisors or customers directly.Report suspicious contacts to your IT department; consider having IT, or an outside cybersecurity firm, run a risk assessment of your network.
Detective Eric Edson is a 29-year veteran of the Sheboygan Police Department. In his role, Edson is responsible for investigating major crimes, which include financial crimes and fraud.

TBN
share arrow printer bookmark flag

Trending View All Trending