In the span of a single year, three very different companies became the targets of Business Email Compromise (BEC), an increasingly prevalent type of a cyber-attack, one that is projected to cause over $9 billion in damage in 2018.
One of these companies, San Jose-based maker of networking technology Ubiquiti, disclosed in a quarterly financial report that cyber thieves stole $46.7 million from the company. The Scoular Company, an employee-owned commodities trader that has been in business for over 125 years, lost $17.2 million. Finally, a mid-sized manufacturing company in northeast Ohio nearly lost $315,000 if it weren’t for some quick thinking and a delay with a wire transfer.
These three companies were, by far, not the only targets of BEC that year. According to the statistics published by the Internet Crime Complaint Center (IC3), there were approximately 40,000 BEC incidents between October 2013 and December 2016. In Tennessee alone there were 161 reported BEC cases in 2016, and I’m sure many more that went unreported. “The BEC/EAC scam continues to grow, evolve, and target small, medium, and large businesses. Between January 2015 and December 2016, there was a 2,370-percent increase in identified exposed losses,” reported the IC3.
What Is BEC?
BEC is a sophisticated scam that can be seen as an evolution of phishing, a social engineering attack that relies on deceptive emails, websites, and sometimes even phone calls. Unlike traditional phishing attacks, which target a broad number of users at once, BEC attacks are highly focused, typically targeting only a single individual, very difficult to recognize, and they often rely on a combination of social engineering and malware.
Most BEC attacks target companies that often perform wire transfer payments to foreign suppliers. An email is sent from a compromised or spoofed corporate email address belonging to the CEO or someone else who is authorized to make financial decisions to someone working at the same company. Assuming the identity of the person the compromised or spoofed email is supposed to belong to, the attackers then ask the victim to send money to an international bank account.
In the span of a single year, three very different companies became the targets of Business Email Compromise (BEC), an increasingly prevalent type of a cyber-attack, one that is projected to cause over $9 billion in damage in 2018.
One of these companies, San Jose-based maker of networking technology Ubiquiti, disclosed in a quarterly financial report that cyber thieves stole $46.7 million from the company. The Scoular Company, an employee-owned commodities trader that has been in business for over 125 years, lost $17.2 million. Finally, a mid-sized manufacturing company in northeast Ohio nearly lost $315,000 if it weren’t for some quick thinking and a delay with a wire transfer.
These three companies were, by far, not the only targets of BEC that year. According to the statistics published by the Internet Crime Complaint Center (IC3), there were approximately 40,000 BEC incidents between October 2013 and December 2016. In Tennessee alone there were 161 reported BEC cases in 2016, and I’m sure many more that went unreported. “The BEC/EAC scam continues to grow, evolve, and target small, medium, and large businesses. Between January 2015 and December 2016, there was a 2,370-percent increase in identified exposed losses,” reported the IC3.
How to Protect Against BEC?
We at Kraft Technology Group believe that effective protection against BEC attacks should start with employee training to improve security awareness. It is a known fact that 95 percent of all security breaches are caused by human error, which is why companies should threat employee training as a foundational activity and not as something optional.
Employees should be taught to be wary of unexpected emails sent by high-level executives, and they should be encouraged to get a secondary verification of any suspicious request by calling the sender on the phone or asking in person, if possible.
While better security awareness goes a long way, it does not eliminate the need for a comprehensive enterprise-class security solution. One of the ways we protect our clients is by the implementation of a hosted email security gateway which protects small and midsize businesses against BEC through a new dynamic impostor email classifier.
Visit our website to learn more about how we can protect your company against BEC attacks and other cyber threats.
