April 2016: BEC - the $2.3 Billion Risk | SecureIT | Kent State University

April 2016: BEC - the $2.3 Billion Risk

The FBI issued a warning about a type of phishing email scam that targets company executives in April 2016. The FBI reports that between October 2014 and February 2016, more than $2.3 billion was lost to BEC attacks. 

BEC attacks typically target organizations that frequently engage in wire transfer payments and/or work with foreign vendors. However, this is not to say that other organizations cannot fall victim as well. The FBI has seen businesses, tech firms, and nonprofit organizations all fall victim.

How BEC Works

BEC attacks typically start with the hacker performing in-depth research on the organization. The first source of information is usually employees' and executives' social media accounts and corporate websites. Once the hackers feel secure in their knowledge of the organization, a targeted email will be sent to an executive. According to the FBI, "The schemers go to great lengths to spoof company email or use social engineering to assume the identity of the CEO, a company attorney, or trusted vendor. They research employees who manage money and use language specific to the company they are targeting, then they request a wire fraud transfer using dollar amounts that lend legitimacy."

If the hackers gain access to an executive's email, the will use the address book to find people who work in a finance department. They are looking for anyone who would be able to issue payments on the organization's behalf. Once they have identified this person, they will use their knowledge of the company, and the executive's email, to request a payment is made via wire transfer. 

BEC can have massive impact on an organization. In 2015, Mattel lost nearly $3 million to a BEC scam. The same style of scam resulted in Ubiquiti, a technology firm, losing more than $46 million.

How to Protect Your Company

Once the payment has been made, there is unfortunately little that an organization can do. The FBI recommends that an organization contact its financial institution immediately when it discovers evidence of a BEC scam. In some cases, the financial institution may be able to reverse the wire transfer. The FBI also recommends that the organization files a report with the Internet Crime Complaint Center. 

For more information about BEC scams, please see the full Inspired eLearning post