There are many different
types of Business Email Compromise (BEC) attacks, but the smartest and
most likely to succeed are often timed to coincide with something that can lend
them legitimacy, such as tax season.

By infiltrating an
organization to find a few useful details, scammers can craft email messages
that are perfectly timed and convincingly urgent enough to persuade victims to
transfer large sums of money.

The potential risk to your
business is enormous; the FBI
estimates the cost of BEC scams
worldwide between October 2013 and July 2019 was more than $26 billion, mostly
stolen from U.S. organizations.

The mechanics of different
types of BEC attack are very similar, so by breaking them down and educating
your workforce you can dramatically reduce the risk for your business.

What Does a Typical BEC
Scam Look Like?

A successful BEC scam requires some knowledge of your organization’s internal workings. Criminals will identify a target business – all sizes and types of organization are at risk – and they will work to gain access to your network. The first step is likely to be a common phishing email that enables them to gain a foothold. From there, they will try to figure out how financial processes are handled and who is responsible for money transfers.

With the groundwork complete,
they will wait patiently for an opening. A typical example is an incoming
invoice for services from a vendor. The attacker will see this email coming in
and they’ll quickly follow it up with a message that appears to come from the
same vendor, explaining that they’ve just changed their account, and asking you
to wire the money for the last invoice to these new details. Naturally, the new
bank details provided are the scammer’s account and the victim likely doesn’t find
out there was a scam until the vendor makes an inquiry about their unpaid
invoice a few weeks later.

How Tax Season is the New
Hunting Season

Another way attackers can
boost their chances of perpetrating a successful BEC scam is to take advantage
of particular times of year, such as tax season. People are more receptive to
tax-related emails when it’s tax season and there are many ways to trick
victims into handing over details, opening attachments or clicking somewhere
they shouldn’t.

An email asking people to
verify “the attached W2” is an easy place to start. No one wants to pay more
tax than they need to, and when they know taxes need to be filed soon, there’s
an instant sense of urgency. The attached W2 file could be a genuine form that
the attacker is hoping you’ll fill out and return, because it would give them
information that may be used for further frauds and scams. Alternatively, the
W2 may be a malware payload that’s triggered when you try to open the
attachment.

A smart scammer might combine
knowledge that the CEO is out of the office on a trip somewhere with tax season
and send a request for all employee W2s, maybe with a message saying that they
want to work on them during the flight they’re about to board and will hand off
to the tax guy when they land. This information could be used for all sorts of
fraudulent activity and identity theft, if not by the thief, then by other
criminals they may sell the stolen data to.

What To Look For

There are a few reasons why
BEC scams are so prevalent; chief among them is the fact that they actually
work some of the time plus the potential rewards are substantial. No matter the
level of sophistication, there are a few common themes and tricks that
attackers use.

Understanding the mechanics
behind a successful attack can educate you and your staff about what to be
vigilant for.

Social engineering is all
about emotional manipulation and it is an effective way to bypass your usual
critical thinking skills.

With these BEC scams, there’s
almost always a sense of urgency – the attacker wants you to respond before you
think about it twice. They send emails with high importance flags and drop in
deadlines. There might be the threat of not being paid on time, the risk of
taxes being incorrect, or some other kind of anxiety that will irk you if you
don’t respond quickly.

Attackers will spoof email
addresses, and in some cases even use hacked email accounts. They will
represent themselves as an organization you trust, or perhaps even a colleague.
Messages that seem out of character or come in at strange times should be
treated with suspicion. It’s also common for scammers to use domains that are
highly similar to legitimate sources, but they may have one letter different in
the middle, so scrutinize the sender address and look at URLs carefully.

If you stop to think about
these scams and interrogate them, you’ll often be able to identify BEC
attempts, but there’s no substitute for company-wide cultural awareness training.

Training for Security
Awareness

It’s common practice to run
annual security awareness training as part of a compliance checkbox
spreadsheet, but if you want your employees to be properly armed in the fight
against scams you need to train frequently. Flagging periods of higher risk,
such as tax season, is a great way to reinforce and remind people of the
training they’ve had. It doesn’t have to be in-depth technical training, but
make sure they’re aware of major red flags related to social engineering.

Ultimately, if you can get
employees to slow down and think before they act, that could be enough to help
them identify a scam or refer suspicious emails to someone else who can
investigate.