It’s a morning just like any other. An employee gets an urgent email from the company’s CEO. In the email, the CEO says she needs to change the time and date of a meeting that she and the employee had arranged. The employee isn’t going to say no to the CEO, so clicks on the link provided to set the new meeting.

To choose a new time and date, the employee needs to access his Outlook calendar. Once he’s logged in, he accepts the new time slot. And that’s that. Until another employee tells him that someone has stolen his user name and password, accessed the company’s confidential information, and stolen as much of it as possible.

The email was, in fact, fake. It wasn’t sent by the CEO, rather by a cybercriminal. And the website of the Outlook calendar where he logged in was also fake, specifically set up in order to steal login details. In just five minutes, the whole company’s cybersecurity has been seriously compromised.

And this employee is not alone. An identical scam has been affecting a number of large companies, which have suffered a phishing attack whose goal was to access their data. According to GreatHorn, the cybercriminals were detected before any major damage was done, but the scam is still active.


The boom of BEC scams

This is actually nothing new. Rather, it is a new version of the CEO fraud, a scam that involves the attacker posing as the CEO or some high-up in the company. They then trick employees, who don’t have enough time to check whether the email is legit, into making bank transfers or providing confidential information about the company.

Likewise, the CEO fraud is a type of BEC scam (Business Email Compromise), but it is not unique: the tech support scam is another of the many varieties of cybercriminal activity that involve the attacker pretending to be someone with a certain level of authority in order to take advantage of the weakest link in the company’s cybersecurity: the employees themselves.

The consequences of a BEC attack

When a company falls victim to a BEC scam, it faces many possible consequences that can seriously affect both the company’s present and its future.

1.- Theft of information. If a cybercriminal achieves what they set out to do, they’ll be able to get hold of confidential information that is highly valuable to the company. And this information may affect not only the company itself, but also its users, customers, suppliers, and so on, something that could seriously affect its reputation.

2.- Economic losses. According to the FBI’s Internet Crime Report (IC3), in 2017, BEC scams caused losses of over €676 billion in the USA alone, making it cybercriminals’ most lucrative tool.

3.- Loss of innovation. At the same time, companies’ fear of this kind of scam can also have a slowing affect on the adoption of certain emerging technologies, both for the companies themselves and for users. This is one explanation for the fact that there still exists a certain level of reluctance to adopt online banking.

Discover Panda Adaptive Defense

How to avoid BEC scams

Putting a stop to BEC scams should be a priority for any company. To do so, it is vital to have cybersecurity solutions that analyze exactly what is happening at all times on company networks and devices. This is exactly that Panda Adaptive Defense does. It is an advanced cybersecurity solution that automatically monitors all running processes in real time. This means that, if someone does manage to sneak onto the network, or to introduce malware into the system, it is able to detect and neutralize the threat before it can have any consequences. It therefore gets ahead of possible risks as soon as it detects any anomalous process or movement on the corporate network. What’s more, the managed Panda Adaptive Defense Threat Hunting service discovers new attack patters by automatically identifying anomalies in the behaviors of each user, process, and machine.

But this maintaining this level of vigilance shouldn’t be the sole charge of technological tools. Employees also need to play their part, especially if we consider that they often end up acting as a way in for cybercriminals who take advantage of their lack of cybersecurity training. This is why employee awareness needs to be increased, so that, at any given moment, they know how to activate a security protocol, rather than trusting the sender of any old email that they receive.

In any case, this will of course at times be a difficult task. This is why two-factor authentication is also necessary. This will stop the cybercriminal from accessing confidential information, even if they do manage to get their hands on an employee’s data.

Prevention should definitely not be a task that falls squarely on the shoulders of the cybersecurity department. It should be the responsibility of every area of the company. Only then, with all values aligned, cybersecurity solutions activated, and protocols established, will a company be able to stop BEC scams, and thus avoid the million euro losses that they can provoke.