CEO Fraud, or Business E-Mail Compromise (BEC), is an e-mail scam that aims to trick business employees into transferring money or sending sensitive information to a fraudulent account. In a recent study conducted by the Internet Crime Complaint Centre, it was found that these email scams have resulted in financial damages of more than $5 billion across the world between 2013 and 2016.
Highly Varied Impersonation Strategies
The fraudulent emails are often sent from either hacked accounts of legitimate employees, or spoofed email accounts that impersonate company emails using forged banners and signatures. While a study conducted by Barracuda Networks discovered that 43% of the 3000 studied emails impersonated high-standing positions such as CEOs, the remainder of the attempts pretended to be general employees or people working in areas such as finance or human resources. Therefore, BEC dangers are not only limited to emails from high-level employees, and cannot be prevented by only protecting these accounts.
Another significant aspect of Business E-mail compromise is the fact that the fraudulent emails often do not contain suspicious direct hyperlinks. Therefore, common spam filters used by email providers are not able to easily filter out these emails.
Similarly to the varied impersonation strategies, there are also many different goals in BEC scams. In the aforementioned study conducted by Barracuda Networks, it was announced that the attackers’ goals ranged from fraudulent money transfers, to encouraging individuals to navigate to infected links, to stealing sensitive information.
To help you identify CEO Fraud attempts in your inbox, we have composed a table of common impersonation strategies and attacker goals used in these scams:
|Impersonation Strategy||Cyberattack Goal|
|Hack a legitimate account of a high-level employee.|
Impersonate an employee using a fake email address and forged headers, footers, and company signatures
Fake or hack an email address of a close supplier used by the company
Fraudulent emails claiming to be lawyers who have critical and urgent information about your company
|Asking for money transfer to a fraudulent account pretending to be a legitimate company|
Stealing personal or sensitive information such as tax forms or other company financial documents
Establishing trust with the employee for further data-theft in the future
Steal W-2 information of clients
Redirect transfer of money to a fraudulent account during an active deal between the company and a supplier
How do you protect yourself from Business Email Compromise Scam attempts?
With so many variants of BEC scam emails, it can be impossibly difficult to reliably identify when an email from a colleague or boss is legitimate. Instead, it is important to always approach emails asking for personal information or financial transfer with caution.
Always authenticate the validity of e-mails by directly contacting the sender over the phone or in-person. Furthermore, provide regular training sessions for employees to help them become vigilant of these scams.
Our tech experts at GigE have years of cumulative experience in I.T. security and Internet Fraud. Contact us today at +1 888 366 4443 to protect yourself against BEC.