• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Jobs
  • Career
    • Cyber Security Training
    • Work from Home
    • Cyber Security Analyst
    • Remote Work – Six Ways to Keep Your Data Safe When Working Remotely
  • Field Guide
  • Newsletter Signup
  • Deals
  • News
AskCyberSecurity.com

AskCyberSecurity.com

Cyber Security News & Information

  • Home
  • Data Privacy
    • Gamers
    • Government Cyber Security
      • Legislation
      • Standards
        • What are the risks of computer security?
        • Medical Cyber Security
    • Social Media
  • Security
    • Data Breaches
    • Scams
    • Malware
  • Software
    • Apps
    • Web Browsers
  • Glossary
    • Cyber Security Acronyms
  • About Ask Cyber Security
    • Authors
    • Contact Us
  • VPN
    • How Do I Know If My VPN is Working?
    • Best Free VPN iPhone
    • Why Use a VPN?
    • NordVPN vs IPVanish
    • Private Internet Access Download
    • Best VPN for Streaming
      • TikTok VPN
    • VPN Porn
    • Computer Security Software – What You Really Need
  • Tutorials
  • ChatGPT
    • Does ChatGPT Save Data?
AskCyber Home » News » scam » What is a BEC Scam?

What is a BEC Scam?

2019-06-18 by Michelle Dvorak

BEC Scam

Business Email Compromise Scams Cost Businesses Millions in Losses

Business Email Compromise (BEC) is a type of online scam that targets businesses that use wire transfers for payments. The US Federal Bureau (FBI) reports that since January 2015, there has been a 1,300% rise in financial losses totaling over $3 billion USD. Hackers stole $1.3 billion from companies in 2018, twice the amount of 2017 losses.

Business Email Compromise scams are also known as Man-in-the-Email scams or Email Account Compromises. This type of online scam has been tracked by the FBI’s Internet Crime Complaint Center (IC3) since 2013. Companies in all 50 states and over 100 countries have been targeted. Victims include large corporations, non-profits, churches, and schools. BEC scams target organizations of all sizes but have evolved to victimizing larger companies that can afford to pay more. Hackers use combinations of online cyber attacks like spear phishing emails, social engineering, identity theft, e-mail spoofing, and malware to establish trust with potential victims. After patiently building a relationship with an employee via email or social media, the targeted employee is eventually tricked into wire transferring money to a bank account the hacker has access to.

WebRoot cyber sec

In one cyber attack vector, social engineering is used to gain access to an employee’s email account by resetting passwords. Many times, social media accounts contain the answers to common password rest questions, like “What city were you born in?” When hackers gain access to an employee’s legitimate email account, they use it to send out emails to employees or business partners who are authorized to send wire transfers. The victims are tricked into paying fraudulent invoices or other business expenses. If the hacker has compromised an email account or an entire IT system, they may be able to convince an employee to pay a legitimate invoice but the money is wired to the wrong bank account.

Sometimes hackers can convince an employee a wire transfer request originates from the CEO or other executive level employee. Corporate email addresses can be gleaned from company websites, press releases, or LinkedIn profiles. Passwords are stolen through social engineering, malware using keyloggers, or phishing emails.

Hackers may also trick employees who don’t scrutinize their emails carefully enough into thinking the email originates from a legitimate corporate email address. The friendly name of an incoming email is easy to spoof. To ensure an email is from a legitimate sender, the recipient must look carefully at the email box name and not just the named used to sign the email. If the email contains suspicious links, it is best to pick up the phone and call the alleged sender to make sure the email is legitimate.

Targeting corporations rather than individuals is more lucrative for hackers and scammers. Individuals may pay a small fee to free their device or files from ransomware, but a large corporation can afford more and may likely have an insurance policy to cover the costs of a data breach.

Types of Business Email Compromise (BEC)

  • Bogus Invoice Scheme – Companies that use foreign vendors are targeted with emails requesting a wire transfer to pay fraudulent invoices. If paid, the money goes to a bank account the hacker can access, including those used by money mules.
  • CEO Fraud – Hackers posing as executive level employees send spear phishing emails to employees who can authorize a wire transfer. That money be sent to their bank accounts
  • Email Account Compromise – Hackers compromise a corporate email account and use it to send legitimate or fraudulent invoices to vendors. Wire transfers are routed to the hacker’s bank account.
  • Attorney Impersonation – Hackers impersonating attorneys request personal information in phishing emails or over the phone from human resource employees for use in future spear phishing attacks
  • Employee Data Theft – This type of BEC scam is also called the W2 scam. Hackers try to trick human resource employees into sending employee W2 forms in bulk, so they can use it for future spear phishing emails or identity theft.

What is a Phishing Email Scam?

Phishing emails are malicious emails sent to victims for criminal purposes. Often scammers are trying to steal money from phishing email recipients by convincing them to send banking information, credit cards numbers, or passwords in an email. Often, the recipient is directed to a spoof website that looks very similar to a website the recipient has a financial relationship with. The phishing email scam victim may be encouraged to rest a password when in reality they are giving their login information to hackers.
Phishing emails may be used to gather personal information for another, more targeted form of an email scam, the spear phishing email. While phishing emails tend to be sent out to hundreds or thousands of potential victims, thus said to be fishing for a response, the spear phishing email is very targeted at one person or one organization. The hacker who sends spear phishing email has already collected personal information about the recipient like name, workplace, or other personal details. Spear phishing emails are dangerous because the recipient feels they know the sender somehow.

Filed Under: scam Tagged With: BEC

About Michelle Dvorak

Michelle writes about cyber security, data privacy focusing on social media privacy as well as how to protect your IoT devices. She has worked in internet technology for over 20 years and owns METRONY, LLC. Michelle earned a B.S. in Engineering from Rensselaer Polytechnic Institute. Michelle published a guide to Cyber Security for Business Travelers


LinkedInTwitterFacebook

Primary Sidebar

Subscribe to Our Free Newsletter

We Don't Share or Sell Your Info

Web Browsers

Where Are My Saved Passwords in Chrome?

Google Removes 70 Malicious Browser Add-ons from Chrome Web Store

Firefox 75 Reports Your Browser Settings to Mozilla

Categories

Cyber Security Field Guide

Computer Security While TravelingGet Our Cyber Security Field Guide - Available on Amazon!

Recent Posts

Security Marketing Manager – Remote

Sr. Associate, Cybersecurity Architect – Pfizer

Strategic Customer Success Manager – Cybersecurity – Opportunity for Working Remotely

Top 20 Passwords Leaked on Dark Web

ISU Cybersecurity Leader Job Opening

Cyber Security News

Top 20 Passwords Leaked on Dark Web

… [Read More...] about Top 20 Passwords Leaked on Dark Web

Apple Warns of Actively Exploited Zero-Day Flaw

… [Read More...] about Apple Warns of Actively Exploited Zero-Day Flaw

IRS Stops Facial Recognition System for Online Access

… [Read More...] about IRS Stops Facial Recognition System for Online Access

National Cybersecurity Alliance Announces Data Privacy Week

… [Read More...] about National Cybersecurity Alliance Announces Data Privacy Week

More Cyber Security News

Tags

amazon Android Apple bitcoin China chrome CISA credit card DarkSide DHS DOJ Equifax Europe Facebook facial recognition FBI Firefox FTC games GDPR Google Government hacker identity theft India iPhone Iran IRS LinkedIn Microsoft North Korea PayPal phishing phishing email ransomware REvil Russia smartphone T-Mobile TikTok tutorial VPN WhatsApp WiFi Windows

Government

CBP Looks to Access Airline Passenger Data

FTC Releases Cyber Threat Video Playlist

Malware Found on US Government Funded Phones

UK NCA Reaches Out to Youth to Deter Cybercrimes

More Posts from this Category

Footer

Menu

  • Home
  • About
  • Authors
  • Newsletter Signup
  • PRIVACY POLICY

Search

Why Use a VPN?

NordVPN vs IPVanish VPN Review

NAVIGATION

  • Data Breaches
  • Data Privacy
  • Gamers
  • Scams
  • Malware

MEMBER NJCCIC

New Jersey Cybersecurity & Communications Integration Cell

STAY CONNECTED

  • Facebook
  • Instagram
  • Pinterest
  • YouTube
  • Twitter
  • RSS

Copyright © 2023 · AskCyberSecurity.com · METRONY, LLC

Go to mobile version