When an accounts payable employee at a Manhattan advertising firm received an email from the CEO instructing the firm to wire $49,000 to another firm’s bank account, that employee dutifully complied. However, that email didn’t come from the CEO. And while the listed firm was real, the bank account was actually a shell company set up by a personal trainer utilizing a cyberattack strategy called business email compromise, or BEC.
BEC relies on practices similar to other email spear-phishing scams. Phony emails appearing professional in design and address – including accurate facts and figures and customized content that can bypass suspicion – are sent to employees requesting money be wired to specific accounts or that sensitive information be revealed. Often, the sender masquerades as an executive, leveraging implied authority and causing these requests to be fulfilled with little or no hesitation.
All of this makes BEC one of today’s most pervasive and lucrative forms of cyberattack. It also means that organizations hoping to fortify themselves against such attacks need to create a cybersecurity strategy that’s equally comprehensive.
BEC attacks have proven to be so successful because of their increasingly sophisticated ability to mimic authentic communications and thus mitigate users’ suspicions. More cunning in its deception and more ambitious in its targeting than other spear-phishing schemes, BEC attacks ironically require few technical skills. All that’s needed is some creativity and a willingness to shirk morality, making it especially challenging for organizations to combat.
Between October 2013 and December 2016, the FBI estimates that more than 40,000 BEC attacks were carried out in the U.S. alone. These attacks led to $5 billion in losses, $346 million of which happened in only the last half of 2016.
Ultimately, organizations hoping to prevent BEC attacks need to filter malicious emails out before users are forced to decide what is or isn’t real. Because by the time an email arrives in a user’s inbox, it’s usually too late. Here are three ways entities can bolster their defenses.
Because BEC is so effective and lucrative, organizations hoping to prevent it need to realize what they’re up against. By implementing a multilayered approach and impersonation filtering, educating users, and creating good governance practices, companies can help protect themselves from these attacks. Given all the money to be made, these attacks aren’t likely going away, and organizations that act now are going to best position themselves to defend against BEC and future cyberthreats.