Learn from These BEC Attack Scenarios

BEC is a slippery foe because it can take so many forms, making it hard to spot a BEC scheme until it’s too late. But security awareness training can ensure that employees are alert to the general basic types of BEC scams. These scenarios show you what the most common styles of BEC attack look like in action and provide examples of what happened when an unlucky organization fell victim to an episode of that variety.

1. Urgent payment required or invoice scams:

The most common variety of BEC attacks is the invoice or urgent payment required scam. In this scenario, bad actors pose as representatives of a company or government agency and tell the victim that an invoice must be paid immediately to avoid a negative consequence, like the interruption of their phone service. Usually, they ask for a wire transfer to a fraudulent bank account, but sometimes bad actors will request payment using a gift or money card.

Example:

• The FBI received many reports of COVID-19-related BEC invoice fraud targeting large healthcare organizations. Victims received messages claiming that a fake invoice must be paid immediately for the organization to get a shipment of much-needed medical supplies or vaccines. Victims were instructed to pay by wire transfer. Of course, no supplies ever reached those unfortunate healthcare providers.

2. Executive impersonation scams:

Bad actors may pose as an executive at the victim’s company or another organization to entice the victim into downloading a malicious document, sending them money, providing them with sensitive information like financial data or helping them access restricted systems and data.

Example:

• Pathé, a French cinema company, experienced a BEC attack in which cybercriminals impersonated the company’s CEO. Bad actors misrepresented themselves to the company’s Dutch division executives using an email address similar to the company’s legitimate domain pathe.com. The fraudsters convinced executives to transfer funds to a “new” (fraudulent) bank account to pay for the supposed takeover of a company in Dubai, ending in a loss of $21 million.

3. Misrepresentation scams:

In a misrepresentation scenario, bad actors target employees in certain departments with the intent to trick them into providing sensitive information or payments. They may pose as government officials or even executives and colleagues within the target organization.

Example:

• The charity Save the Children lost $1 million to BEC. In that scam, the attacker managed to gain access to an employee’s email account and then used it to send fake invoices and other documents to the charity’s accounting department claiming that the money was needed to pay for non-existent solar panels for a clinic in Pakistan. The accounting department didn’t suspect anything because the invoices came from a trusted address.

4. Credential or information fraud:

A credential compromise BEC scam starts with bad actors asking the victim to provide credentials on the pretense that they’ve misplaced credentials they’d already been given or weren’t given the right ones to complete a task. Both variants lead to the same result — a bad actor tricks an employee into giving them access to systems, accounts and data that they shouldn’t have.

Example:

• In February 2021, celebrated entrepreneur Obinwanne Okeke was sentenced to 10 years in prison for his involvement in a BEC scheme that resulted in at least $11 million in losses to his victims. Using phishing emails to secure the login credentials of business executives (including the CFO of British company Unatrac Holding), he had a direct conduit to a BEC attack.

Stop BEC Before It Starts

Reduce the chance of a BEC scam doing major damage and mitigate other cyberattack risks affordably with two battle-tested security solutions you can rely on.

Security Awareness Training     

CISA recently recommended that companies step up their security awareness training programs to combat the current flood of ransomware threats.  It’s the right move to make – Venture Beat reports that 84% of businesses in a recent survey said that security awareness training has reduced their phishing failure rates, making their employees better at spotting and stopping phishing, the gateway to most of today’s nastiest cyber threats.

Source: ID Agent