Business Email Compromise: The Billion Dollar Threat You Need to Know

Published on April 6, 2021  |  Cyberfort Advisors
business email compromise

Business email compromise (BEC) is a sophisticated scam targeting both businesses and individuals performing transfers of funds. The scam is frequently carried out when a cyber-criminal compromises legitimate business email accounts through hacking or social engineering to conduct unauthorized funds transfers.

Another popular cyberattack is ransomware. Ransomware is a type of malicious software, or malware, that encrypts data on a computer, making it unusable. A malicious cybercriminal holds the data hostage until the ransom is paid. If the ransom is not paid, the victim’s data remains unavailable. 

Business Email Compromise Is a Top Threat, and It’s Growing

According to Google Trends, people search on Google for ‘ransomware’ 44 times more often than for ‘business email compromise’. However, the FBI’s latest Internet Crime Report for 2020 reports business email compromises costing businesses and individuals over $1.8 billion USD while ransomware costing businesses and individuals around $29 million USD. The cybercrime that gets everyone’s attention accounted for less than 1% of the total damages inflicted by cybercriminals in 2020.

The threat of business email compromise is very real. The same FBI report states over 241,000 reported incidents of business email compromise (phishing, vishing, smishing, pharming) were filed in 2020, compared to just under 77,000 reported incidents of ransomware (extortion). 

Business Email Compromise (BEC) has 3 times the number of reported incidents as Ransomware, for 64 times the amount of damages in real dollars, with 44 times less public interest. 

Let those numbers sink in.

Business Email Compromise Types: Phishing, Vishing, Smishing, & Pharming

What makes business email compromise so challenging to defend against is the different tools and platforms a criminal can use to carry out the scam. With the explosive growth in BEC attacks over the past 2 years, the FBI now categorizes them into four types: Phishing, Vishing, Smishing, and Pharming.

Phishing is a cybercrime in which the victims are contacted by email by someone posing as a legitimate institution or colleague to lure individuals into providing sensitive data such as personally identifiable information, banking details, and passwords. This does not mean the criminal has hacked your email server, rather they use social engineering to dupe their victims.

Vishing (Voice Phishing) is a cybercrime in which the victims are contacted by phone (VOIP) by someone posing as a legitimate institution or colleague by faking Caller ID to lure individuals into providing sensitive data such as personally identifiable information, banking details, and passwords. This type of attack is more complex, but it also leaves no “paper trail” for law enforcement.

Smishing is a cybercrime in which the victims are contacted by text message (SMS) by someone posing as a legitimate institution or colleague to lure individuals into providing sensitive data such as personally identifiable information, banking details, and passwords. This type of attack relies heavily on social engineering for threat actors to dupe their victims.

Pharming is a cybercrime involving malicious code and fraudulent websites. Criminals install malware or malicious code on your computer or server. The code automatically directs you to bogus websites without your knowledge or consent, luring individuals into providing sensitive data. Pharming does not need social engineering to be effective.

Increased BEC Threats Means Evolving Your Cybersecurity Strategies

It’s easy to see how all types of business communications have been weaponized by cybercriminals: from low-technology, high-pressure social engineering attacks like Vishing to high-technology, no contact attacks like Pharming, no systems are immune. In particular, the ubiquity of email for business communications makes business email compromises an easy attack vector.

To combat business email compromise requires a measured effort from the entire organization. It’s not an IT problem, it’s not a legal problem –  it’s everyone’s problem. It takes a robust cybersecurity framework with a combination of defenses like managed detection and response systems, endpoint protection, and strong policies in combination with awareness training on how to identify social engineering attempts, what protocols to follow if you think you’ve been defrauded.

Our experts at CyberFort Advisors have decades of experience helping companies improve their cybersecurity posture, to become better protected from business email compromises. We harden your defenses, train your employees, and identify threats before they blow up your business. We can create a custom plan unique to your business needs. 

Contact us at 1 (866) 221-4004 or [email protected] to learn more.