Despite the recent uptick in cybersecurity awareness with attacks like WannaCry and its aftershocks, email continues to pose high levels of risk to businesses. Cybercriminals are aware that usually the risk is proportional to the reward. With this in mind, they are refining their techniques to find low-risk, high reward scams, seeking to compromise email accounts and impersonate employees, especially those who have access to the company’s finances. One of the most popular methods for stealing funds directly from a company’s coffers is the so-called BEC (Business Email Compromise) scam.

BEC, a high profit scam

The way a BEC scam works is simple: the cybercriminal tricks an employee with access to the company’s finances (anyone from the office manager to the chief financial officer) to make a transfer to an account that supposedly belongs to a client or provider. However, in reality the money is being directly sent to the bank account of the criminal organization.

How does the criminal trick them? The machinery behind these attacks is very complex. These are not the classic scam emails that we’ve all seen in our own inboxes (with strange grammar and spelling mistakes, a hodgepodge of languages, extravagant stories, etc.) but rather they convincingly emulate professional emails. To do this, attackers use techniques such as spear-phishing, identity theft, social engineering, and the use of malware. And they’re still looking for new advanced techniques to commit this fraudulent activity, since the potential return on investment is enormous.

According to the latest data from the Internet Crime Report 2016, the EAC (Email Account Compromise) scams, the personal equivalent of the BEC, together with the BEC, were the attacks with the greatest economic impact of the year. These scams accounted for more than a quarter of recorded losses in 2016 — $360.5 million out of a $1.3 billion total. And yet they are by no means the most common type of threat. With just over 12,000 incidents, they rank 16th among the most common types of crime. That is why they are so popular among criminal organizations: these attacks report around $ 30,000 in earnings on average.

The CEO Fraud

One of the most widespread types of BEC scam is known as “CEO Fraud”. Those responsible for this attack use malware and spear phishing techniques to access the corporate network. Once inside, they spend weeks examining inboxes, the lists of suppliers or clients, and the activities of the CEO (for example, how she expresses herself in writing).

After gathering all this information, the attacker waits for the opportune moment to impersonate the CEO (for example, when she is traveling) and send an email requesting a transfer be made to an account supposedly belonging to a provider or client. The recipient of such emails (usually a member of the accounting team) transfers hundreds or even thousands of euros without suspecting a thing. Once the money has made it to the false account belonging to the criminal organization, the money is laundered to avoid detection by security forces. If a BEC attack is not stopped in time, recovering the transferred funds is almost impossible.

How to prevent BEC scams

The first step to prevent a BEC attack from causing heavy losses to the company is to use additional means of communication, and not just email. When in doubt, call the CEO or speak to her in person to confirm a transaction. You might just save your company some money!

IT security professionals should also rely on advanced security solutions that block the malware used to perpetrate BEC attacks. The process for performing financial transactions should also include double-factor authentication methods. And, above all, it is fundamental to make employees aware that the safety of the company depends to a great extent on them. A single compromised email account can have a devastating effect. All employees, therefore, should be clear about the established procedures to alert their company’s IT security team about any potential threat so that it can be analyzed in detail.