Every year, the FBI’s Internet Crime Complaint Center (IC3) sheds additional light on particular cybercrime topics that have really taken a toll on American businesses and individuals. With losses totaling well over $6 billion in the past three years, it’s no wonder that the IC3’s most recent focus has been on Business Email Compromise (BEC).1
What is Business Email Compromise?
Business Email Compromise (BEC) is a type of cybercrime in which the hacker impersonates a trusted person (CEO, CFO, Vendor, etc.) or company, gains access to an organization’s email system, and targets employees who have the ability to approve important requests. From there, the hacker posing as the trusted person sends phishing emails that convince the recipient to make all sorts of costly mistakes.
Here are just a few of the things a cybercriminal can do in a BEC situation:
- Access an online banking account
- Be paid for phony invoices
- Order goods through a company’s merchant account
- Unlock corporate records and sensitive data
- Steal loyalty points
- Harvest customer data
- Make unauthorized purchases
- Extort money from you in exchange for your account credentials
Cybercriminals are using LinkedIn and social media to understand their targets beforehand. They’re clever, sophisticated, and relentless. What one employee might not fall for, a different employee will.
What the FBI Has to Say about BEC
Each year the FBI publishes its Internet Crime Report. In 2021, Business Email Compromise (BEC) has become such a big problem that the FBI shared additional detail about this major phishing threat. Here are a few points they shared:1
- Business Email Compromise is a scam targeting businesses (not individuals) working with foreign suppliers and/or businesses regularly performing wire transfer payments.
- In 2021, the IC3 received 19,954 Business Email Compromise (BEC)/Email Account Compromise (EAC) complaints with adjusted losses of nearly $2.4 billion.
- The average cost of a successful BEC attack in 2019 was $74,723.44. By 2021 that amount had grown by 61% to $120,073.84.
- Fraudulent wire transfers are often immediately transferred to cryptocurrency wallets and quickly dispersed, making recovery efforts more difficult.
- The IC3 has observed an emergence of newer BEC/EAC schemes that involve phishing emails and exploited virtual meetings. In those meetings, the fraudster would insert a still picture of the CEO with no audio, then claim their audio/video was not working correctly. They would instruct victims to send fraudulent wire transfers and then follow up using the executive’s compromised email to provide wiring instructions.
Why Social Graphing and Stylometry Are Key
Understanding BEC and educating your employees that account takeovers and impersonations are common phishing scams can help combat them. However, you should also realize that battles of this magnitude cannot be fought alone.
There are two types of phishing that are key to fighting BEC and other types of email impersonation – stylometry and social graphing.
Stylometry: Much in the same way a high school teacher can spot a plagiarized term paper from an original, INKY gets to know her users so that she can keep an eye out for anyone trying to impersonate them with a phishing email or Account Takeover.
Social Graphing: A new concept in fighting phish, social graphing involves plotting out the various interconnections among different people, groups, and organizations within a network. As your users receive mail from legitimate senders, dynamic profiles and behavior models are built that help filter out and block impersonation attempts.
INKY, the behavioral email security platform that blocks threats like BEC, uses stylometry, social graphing, and other intuitive technologies to signal out and stop account takeovers.
A Final Word
Phishing Fact: The average Business Email Compromise (BEC) attack will cost your company $120,073.84. If that’s outside of your budget, it’s time to call INKY.
Schedule your free INKY demonstration today.
----------------------
INKY is an award-winning, behavioral email security platform that blocks phishing threats, prevents data leaks, and coaches users to make smart decisions. Like a cybersecurity coach, INKY signals suspicious behaviors with interactive email banners that guide users to take safe action on any device or email client. IT teams don’t face the burden of filtering every email themselves or maintaining multiple systems. Through powerful technology and intuitive user engagement, INKY keeps phishers out for good. Learn why so many companies trust the security of their email to INKY. Request an online demonstration today.
1Source: https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf