Business Email Compromise (BEC)

Overview

Business email compromise (BEC) is a type of phishing scam where the attacker impersonates or compromises an executive's email account to manipulate the target into initiating a wire transfer or to give away sensitive information.

The attack relies heavily on spear phishing and social engineering. It often targets individuals that conduct purchasing, have other fiduciary responsibilities, or handle sensitive company information.

How do BEC scams work?

  • BEC scams often start with a phishing email intended to obtain unauthorized access to targeted employee's account.
  • The attacker may exchange a series of emails with the targeted employee in order to build a trusted relationship. Even though these emails do not normally contain links or attachments, they still pose a risk by connecting the attacker to internal sources.
  • Scammers can pretend to be trusted vendors or employees inquiring about payments or sensitive data.
  • Scammers will email employees from embedded contact lists or even call them, earning their trust.
  • When the targeted employee is out of reach, such as away on business, the cyber thief could send a fake email from his or her office demanding that a payment be made to the trusted vendor's account.
  • With no way to verify if the email is authentic, the employee may make a hasty decision to approve the payment. Of course, the payment goes to the scammer and not the trusted vendor.

How do I know this is a BEC attempt?

  • The email requests the recipient to immediately initiate a wire transfer or unexpected purchase.
  • The sender address is a slight variation of a legitimate email address. Such as samkelly@rit.edu vs. sam.kelley@rit.edu
  • The attacker will often pose as an executive level employee and target those in financial departments.
  • Wire transfer requests may coincide with actual executive travel dates, making the request less unusual.

What is RIT doing to protect me?

  • Rejecting email from known spammers and malicious websites.
  • Ensuring email is coming from the server it claims to be from.
  • Implementing traditional anti-malware and anti-spam protection.
  • Quarantining suspicious messages sent via email.
  • Restricting the ability of others to send from RIT email addresses belonging to high profile individuals.

What can I do to protect myself?

  • Verify all unexpected requests by calling or meeting with the person face-to-face.
  • Carefully check the sender address and context or tone of the email.
  • Report spam and phishing emails to spam@rit.edu.
  • If you believe you may have been victimized by a BEC, contact the RIT Service Center at 585-475-5000 or help.rit.edu to open an incident report ticket. 

 

Correcting Outlook Autofill

After replying to a BEC attempt, the fraudulent address is now cached in Outlook and may be autofilled the next time you try to send to the legitimate sender.

For those that have replied to a BEC attempt, this is how to correct the problem with Outlook autofill.

Fraudulent email showing fake email and urgent tone of voice.

You receive a seemingly harmless email. Your boss is asking for some help. They usually don't email you from their personal account, but this seems pretty urgent and you know they are out of the office today. To be helpful you respond right away simply saying you can help.

Thankfully after some time, you realize this was too fishy and report the BEC attempt to spam@rit.edu. Done, right? No. The fake email will still be at the top of your autofill address bar.

Screenshot showing autofill put most recent fake email first

Here is how to make sure the next email you send to your boss doesn't go to the attacker. Delete the email from your autofill options.

Screenshot showing deleting email from autofill options.

​For those that use the Outlook Web App, while selecting the fake email, press the delete button on your keyboard.

Screenshot showing how to delete for webapp users.