Business email compromise, or BEC, scams are one of a kind attacks that only need to be successful a few times to be highly rewarding for the cybercriminals. According to the FBI's report, losses from BEC scams amounted to nearly $1.3 billion in 2018. This is double the losses in 2017, which stood at $676 million.
The Nikkei incident
Nikkei, one of the largest media companies in Japan, with about 4 million active subscribers, was scammed out of $29 million in late September 2019.
According to Nikkei, it is “taking immediate measures to preserve and recover the funds that have been transferred, and taking measures to fully cooperate with the investigations.”
How do criminals commit BEC?
BEC scams—also known as CEO fraud, email account compromise (EAC), or whaling, generate over $301 million every month.
The trend, however, is changing.
What makes the attempt successful? - The fear
Scammers largely rely on the “fear of the boss” mentality of the employees. Employees, generally, do not dare clarify or decline tasks (which may also carry the tag ‘urgent’) coming directly from potentially the most important person within their company. They simply process it, and that is what cybercriminals put their money on.
The sense of urgency and the hesitation in reaching out to the superiors for a second approval of the transfer are factors that run the game of BEC scams.
How to stop BEC attacks?
No business is secure from BEC frauds; it is targeted at businesses both large and small. The first and the best way to avoid being scammed is to adopt a Zero Trust approach. By not trusting unsolicited emails, an employee is doing the right thing. Even the slightest doubt about the legitimacy of an email must be reported. In this case, an employee must never reply and, most importantly, refrain from making any financial transactions with the other party.
Besides, enterprises can always educate their staff, carry out meticulous verification processes (for example, consider a two-step verification process for wire transfers), and stay alert of social media posting on whereabouts of key people within the organization.