BEC Attacks on the Rise; Organizations Lose Millions of Dollars
Cyberattackers are actively using Business Email Compromise (BEC) as their primary attack vector to make quick bucks. According to a report by Trend Micro, BEC scams accounted for a whopping $1.7 billion exposed losses in 2019. Moreover, several BEC scams this year have claimed losses worth millions of dollars.
Making the headlines
Recently, a new BEC scam was identified by Trend Micro, targeting a number of French companies across different industries.
- The attackers registered a domain similar to the legitimate one used by the targeted business and used it to send emails to their targets, impersonating real employees of the company.
- In a few initial samples, the email carried an attached PDF file that pretended to be a letter from the French tax service, asking the target company for information about its customers, employees, and other financial data.
Another major BEC scam
The cybersecurity company Mitiga revealed that cybercriminals netted around $15 million by targeting at least 150 victims across the globe.
- The campaign uses social engineering techniques, in which the attackers impersonated senior executives using Microsoft Office 365 email services.
- The campaign targeting organizations from the law, construction, finance, and retail sectors, mostly from the U.S.
Other recent email compromise attacks
Within the past few months, several major BEC attacks have been observed.
- In mid-August, New York-based trading firm Virtu Financial said that it had lost $6.9 million in a business email compromise scam in May.
- A group of fraudsters named Water Nue was seen targeting business executives of over 1,000 companies across the world since March 2020.
The increasing use of BEC attacks indicates that this is turning out to be a profitable method for fraudsters. Therefore, experts recommend that organizations need to ensure that they have ample security measures to tackle BEC-related threats. Additionally, organizations are recommended to block unsolicited emails from suspected accounts and train their employees to detect targeted phishing attacks.