{"id":9375,"date":"2020-11-12T09:52:08","date_gmt":"2020-11-12T14:52:08","guid":{"rendered":"https:\/\/www.cscdbs.com\/blog\/?p=9375"},"modified":"2021-11-09T14:19:18","modified_gmt":"2021-11-09T19:19:18","slug":"business-email-compromise-attacks","status":"publish","type":"post","link":"https:\/\/www.cscdbs.com\/blog\/business-email-compromise-attacks\/","title":{"rendered":"Business Email Compromise Attacks: The Big Phishing Scam That\u2019s Easily Missed"},"content":{"rendered":"\n
\"\"<\/figure>\n\n\n\n
By Stephanie Mitchell, marketing manager<\/i> Share this post <\/strong>\n<\/a>\n<\/a>\n<\/a>\n\n\n\n

Business email compromise (BEC) attacks are arguably the most sophisticated of all email phishing attacks, and some of the most costly. From 2016-2018, BEC alone made $5.3 billion[1]<\/sup><\/sup><\/a>, but it\u2019s not an attack that everyone is familiar with.<\/p>\n\n\n\n

What is business email compromise?<\/strong><\/h6>\n\n\n\n

BEC is a form of email phishing that targets companies rather than the public. Emails appear to come from someone the victim already knows\u2014usually a higher status colleague\u2014asking them to do something ordinary, like setting up and paying a new supplier, or paying an invoice or a staff member.<\/p>\n\n\n\n

BEC attack emails have many of the same characteristics as other forms of phishing emails; they impersonate others, seek to gain data or money from unsuspecting victims, and messaging conveys a sense of urgency.<\/p>\n\n\n\n

What makes them different is their sophistication, and their outcomes. Why? Because the scammer really does their homework.<\/p>\n\n\n\n

How do BEC scams work?<\/strong><\/h6>\n\n\n\n

For a BEC scam to be successful, the victim has to believe the email being sent is genuine. The telltale signs of other phishing emails\u2014spelling errors, noticeably bogus email addresses, unknown senders\u2014aren\u2019t present in BEC scams. Here\u2019s how BEC is achieved:<\/p>\n\n\n\n

  1. Research.<\/strong> A scammer can spend months researching the company and the person within that company they want to target. Social media platforms like LinkedIn\u00ae, Facebook\u00ae, etc. are goldmines for personal information, which scammers use to find out more about their targets, like their roles and responsibilities, their line manager, and direct reports, even the way they write or communicate. Scammers need to know both the person they\u2019re imitating and the person they\u2019re targeting.

    <\/li>
  2. Getting the right domain.<\/strong> The scammer will buy a domain that\u2019s very close to the genuine brand they\u2019re targeting, e.g., ter<\/strong>amundi.net as opposed to terr<\/strong>amundi.net. At a glance, most people would not notice the missing second \u201cr.\u201d They can then use this to set up an email address that matches the person\u2019s they\u2019re imitating, but for that one letter difference\u2014 \u201cjohn.doe@teramundi.net\u201d (fake) as opposed to \u201cjohn.doe@terramundi.net\u201d (genuine).

    <\/li>
  3. Manipulation. <\/strong>BEC scams rely on social engineering techniques to get victims to do what the attacker wants. Scammers use a range of methods to panic the recipient into believing the email is from their superior so the victim takes action quickly, including: