According to a recent report by email and data security company Mimecast, there has been quite an increase in the number of Business Email Compromise (BEC) attacks. The quarterly Email Security Risk Assessment (ESRA) report revealed a 269 per cent increase in the number of BEC attacks in the second quarter of 2019 compared to the previous quarter.
How BEC attacks work
BEC attacks tend to target businesses that work with foreign suppliers or perform wire-transfer payments on a regular basis. These schemes, formerly known as Man-in-the-Email scams, compromise official business email accounts with the intention of conducting unauthorised fund transfers.
The FBI says that there are five main BEC scams, all of which allow threat actors to commit impersonation fraud via email. This is done by using methods that evade many traditional security systems.
The bogus invoice scheme
This scam involves an attacker acting as a company’s supplier. They will then request funds to be transferred to the attacker’s bank account as payment for services rendered.
If an attacker is committing CEO fraud, they will pose as a senior executive of the company and will email the finance department with a request for money to be transferred to an account they control.
Account compromise occurs when an executive or employee’s email account is hacked and used to request invoice payments to the vendors listed in their email accounts. These payments are then sent to fraudulent bank accounts.
Data theft BEC attacks target those in finance and HR departments. This is so that they can get their hands on personally identifiable information (PII) or tax statements of employees and executives. Once obtained, this information can be sold on the dark web or used for future attacks.
Finally, attorney impersonation attacks involve the threat actor playing the role of a lawyer or someone from a law firm. They will use this persona to access confidential information.
The ESRA also reports that there are over 28 million spam emails, 28,808 malware attachments and 28,726 dangerous file types that were missed by providers. These are then sent to the user’s inboxes.
Join us for ESRM 2019
Join us for our next Enterprise Security and Risk Management Conference on 27th November 2019. With the increasing accessibility of technology, we all have a role to play in visualising opportunities while ensuring that we are not burdened from doing so due to a lack of internal talent, qualified processes or external interference.