On the FBI's website "Scams and Safety" page, business email compromise (BEC) is defined as "one of the most financially damaging online crimes" and it's noted that these attacks cost companies "hundreds of thousands of dollars," on average.
Further, a recent APWG report found that the average loss of a wire transfer BEC attack was $80,183 in the second quarter of 2020 — a 32% increase over the first quarter.
While cyber professionals are familiar with what BEC attacks aim to achieve — primarily, financial but also reputational damages — myriad obtuse terminology is commonly used interchangeably with the greater phishing attack lexicon to render the sector of attacks confusing and difficult to categorize.
But for those who are responsible for email threat mitigation, there are several clear instances of BEC attack techniques you should know. To paraphrase Sun Tzu, before you can defeat an enemy, you must first understand it.
Company Financials in the CrosshairsBEC attacks begin with phishing emails meant to entice a recipient to conduct a task under the guise of a legitimate business activity. What makes them so effective is that the email commonly appears to come from a trusted sender, such as an authority figure. Typically, the cybercriminal will ask for some form of monetary payment or to enter credentials to steal employee personally identifiable information or sensitive company data, such as wage or tax forms, Social Security numbers, and bank account information.
There are two general buckets that BEC attacks fall under: spear-phishing (containing malicious links and/or attachments) and, more commonly, social engineering attacks. Th ..