A BEC scam is a hugely popular cybercrime vector. In this scam, the attackers pretend to be someone else, usually with authority in the company — the boss, the CEO, or even a client — in order to trick an employee into making a bank transfer motivated for a false purpose. business. For cybercriminals, BEC scams are a business with great benefits, since they are relatively easy to carry out and can generate large amounts of money.
According to the Financial Crimes Enforcement Network (FinCEN), the frequency of this type of cybercrime increases every year, as does the amount of money it generates. In fact, in his latest report, he reveals that last year, the amount of money generated in this type of scam reached 301 million dollars every month, or 3.6 billion dollars a year.
A scam with a wide range of victims
Together with this data, the FinCEN report collects other information about BEC scams, such as the type of companies that most frequently receive this type of scam.
Here we find the manufacturing or construction industries, which constitute 25% of the victims. 18% of the victims are from the commercial services industry, while the percentage of victims in the financial sector has fallen from 16% to 9% this year.
One of the reasons for this fall could be due to the efforts of financial institutions to strengthen their cybersecurity, together with the abundance of information that is available to raise awareness among employees of this industry about the dangers of cyber threats to which they are exposed.
The methods begin to change
In 2017, the most popular tactic among cybercriminals who carried out BEC scams was to impersonate the company's CEO (33% of cases) to request illegal transfers, taking advantage of the fact that no one means no to the CEO. However, in 2018, cybercriminals changed tactics. That year, only 12% of cases used this tactic.
Last year, the most popular impersonation was to impersonate a client, sending a false invoice; a tactic that constituted 39% of cases. If we look at the amounts that could be stolen, it's easy to see why this change came. While “CEO fraud” averaged $ 50,373, a fake bill averaged $ 125,439.
An extreme example of the use of fake invoices was seen in Lithuania. A man managed to disappoint Google and Facebook, stealing a total of 123 million dollars by sending fake invoices from a hardware vendor that he had invented.
Malware facilitates BEC scams
Although the instructions to send money and the act of social engineering are carried out through email, malware also comes into play. The messages have to be credible and come from real or similar real addresses. To achieve this, cyber attackers use spyware to steal sensitive information or credentials. This information is subsequently used to create credible emails in their form and content, to convince victims that it is a legitimate request.
What to do to stop BEC scams?
We have seen that BEC scams move a huge amount of money. To avoid the large economic losses that an incident of this type can cause in a company, a series of guidelines must be followed.
The first thing is to start from a “Zero trust” position. This implies not trusting anything that seems out of the ordinary. Before the slightest doubt of the legitimacy of an email, it is not necessary to answer and above all, it is not necessary to make any bank transfer. If you are not sure, report it to the IT department.
This position is also valid to prevent spyware from reaching the company, and can be used to initiate a BEC incident. Attachments that come from strangers or within a suspicious email should never be opened.
Likewise, it is vital to protect the company against any possibility of violation of the network. Panda Adaptive Defense constantly monitors all activity within the computer park. This way you can be sure that neither spyware nor any other advanced threat will reach your organization.
The amount of money that moves in BEC scams has tripled since 2016, and it will surely follow this upward trend. Therefore, it is more important than ever to ensure that you do not become the next victim of this tactic.