What is a Business Email Compromise Attack?
Business email compromises are when an attacker impersonates the real owner of an email account to defraud the company, its customers, partners, or employees into sending money or sensitive data to the attacker
How Does It Start
A business email scam starts with research, an attacker will sift through publicly available information about your company from your website, press releases, and even social media post. The attacker might look for the names and official titles of company executives. The attacker will then either try to gain access to an executive’s email account (possibly through phishing) or create an email with a spoof domain that looks very similar to the original account. High-level executives and people working in the finance department are the most likely targets.
Common Attack Methods
These email scams always appear to come from known sources making what appears to be a legitimate request. Keep in mind they could be coming from a completely valid contact yet still be a fake request if the account was hacked.
The fraudulent invoice scam is when a cybercriminal pretends to be a supplier and requests payment to an account owned by fraudsters. Some attackers simply bulk email invoices to companies in hopes they will just pay the invoice without realizing it is not valid.
The fake boss or CEO scam is when attackers pose as the company CEO or any executive and send an email to employees, finance department, or creditors requesting them to transfer money to the account they control.
Account Compromise is where an executive or employee’s email account is hacked and then used to request payments from vendors listed in their email contacts. Another trick hackers use is to simply email customers from the compromised inbox and tell them your bank information has changed, thus diverting invoice payments to the attackers.
The Cost
All the messages in a business email scam are of course fake and in each case, thousands if not hundreds of thousands of dollars can be sent to criminals. According to recent studies phishing attacks that spoof the CEO or company director was among the costliest scams reported. The average amount was $35,000. CEO email fraud is not going away anytime soon. In fact, as research shows, it’s dramatically becoming a fast-growing threat to organizations, your business will most likely be targeted at one point. Stay vigilant and ensure your employees have the proper training.
Conclusion
CEO fraud is not going away anytime soon. In fact, as research shows, it’s dramatically becoming a fast-growing threat to organizations, your business will most likely be targeted at one point. Stay vigilant and discuss these attacks with your IT provider for recommendations on what can be done to reduce your risk.