Makerere University

Enter a keyword or two into the search box above and click search..

Business Email Compromise (BEC)

You are here

By Nsanzimana Gilbert

 

Business Email Compromise (BEC) also known as Email Account Compromise (EAC) is a form of cybercrime scam that is intended to ask a victim to make a money transfer, which eventually goes to the attacker-controlled account. The message is highly crafted to look as though it originates from a high-level executive, a colleague within the same company or a vendor that works closely with the company, making a request or a directive to a staff to make the transfer “or complete a large purchase on behalf of the high executive.”


Fig.1 In this example, a criminal is sending a message to an employee with a urging a quick response, which is the art criminals use to deny victims time to reason enough or consult IT staff.

Federal Bureau of Investigation FBI Explains three ways in which criminals carry out BEC scams.

1. Spoofing an email account or website

With this, attackers make slight variations on legitimate address and to a non-critical employee, it still appears authentic. For example, the sender can be (johnwiliam@company.com instead of johnwilliam@company.com).

2. Sending Spear-phishing Emails

The scam can use spear-phishing emails which begin with a simple conversation purportedly from a trusted member. When the criminal has won the confidence of the victim (employee), a request to make a transaction directly or to reveal information that gives the criminal access to the company’s account is made. It can also be strait on point on the first message—the request to make a transaction without a series of conversations. Spear-phishing is one of the most successful cybercrime schemes that accounts for 95% of all attacks targeting enterprise networks, according to Security Boulevard.

3. Using Malicious Software (Malware)

Malicious software can infiltrate a company’s network to gain access to legitimate email thread on billing and invoices. Malware can also give undetected access to victim’s financial accounts and thereby carry out payment requests without being suspected.

What makes BEC successful?

1. No malicious links or attachments involved. Many employees are now suspicious whenever they receive links or attachments from unsolicited sources, attackers are aware and so they avoid using easily detected means.
2. BEC attackers have reliable information of what’s going on in the company prior to the attack. Attackers can impersonate a worker who is not currently physically on-site, so they can pretend to seek remote support in the names of the executive. As with all kinds of scams, attackers prompt immediate action so that the victim may fail to get enough time to make consultations.
3. Fake appearance of the organization’s mailing system. Through spoofing, Attackers craft the appearance to the extent of incorporating the signatures or other email elements commonly used by the executive or other entity that is being impersonated. As the email looks more familiar to the employee, they are more convinced to take the requested action.

BEC schemes especially related to COVID-19 procurements and other funds relating to remote workforce are on rise and workers need to stay awake as far as company cyber security goes.

Recommendations

  • Once a vendor requests unusual changes, contact the vendor on a known contact, not the contact provided in the suspicious communication.
  • Verify the email domains and the “reply to” of the email sender carefully. Especially when using handheld devices that may not directly show the sender address.
  • Employees ought to be very skeptical on last minute transaction requests. If it is urging immediate action, be sure to verify by contacting the personal responsible directly.
  • Remember the normal company transaction channels. If a request will bypass any point in the accounting system of an organization, ask yourself “Why?”
  • Employees need to learn the art of reporting to the IT staff for immediate advice, whenever they are in suspicion of an attack however slight it may seem. You can send a copy of the email to the IT personnel for verification, and this may save hundreds or thousands of company money.
Category: