BSI’s Cybersecurity and Information Resilience business warns organisations of a prevalence in Business Email Compromise attacks on senior level management
A Business Email Compromise (BEC) is typically a type of phishing (email fraud) attack that targets senior executives by using advanced targeting methods such as social engineering to trick an email recipient into transferring funds into a fraudulent account.
In 2017 roughly 80 per cent of businesses experienced an email fraud attack, with almost a quarter of recipients clicking on the email within the first five minutes of it being delivered and over half within the first hour.
Richard Lambe, Senior Security Awareness Consultant at BSI, explains:
BEC differs from regular phishing scams by taking a more serious form and is targeted at upper management levels. It’s particularly prevalent at this time of year when social engineering is used to identify who in senior management within an organisation is on annual leave. By identifying who is out of the office the cybercriminal can impersonate that person and send emails, or even make phone calls in some incidents, to individuals who have access to the company’s financial accounts.
“Many of the BEC attacks are highly sophisticated and personalized to appear to come from a trusted senior executive using corporate logos and contact details to make them look legitimate. A BEC may not have URL links or even enclose a malicious attachment so can be difficult to identify. An incident can include the attacker requesting a transfer of funds for a supposedly legitimate business reason or it may be used to gain sensitive information like wage or tax statements, or employee data.
“In the last five years more than 78,000 global BEC incidents have been reported by financial institutes worldwide with over $12.5 billion in exposed losses. We want to remind business owners and their employees to be alert to BEC attacks as we reach peak holiday season and to know the signs to look out for. Be careful about what is posted on social media, verify the origination of email addresses and phone numbers and implement authentication procedures to confirm legitimacy before making any wire transfers or when sharing sensitive information.”