Business Email Compromise
BEC is a type of phishing scam where the attacker impersonates or compromises an executive e-mail account to initiate wire transfer payments from employees within the same organization. The attack relies heavily on spear-phishing and social engineering techniques, often targeting individuals that conduct purchasing or other financial responsibilities for a department.
How do BEC scams work?
- BEC scams often start with a phishing email intended to obtain unauthorized access to a targeted employee’s account.
- The attacker may exchange a series of emails with the targeted employee in order to build a trusted relationship. Even though these emails do not normally contain links or attachments, they still pose a risk by connecting the attacker to internal resources.
- Scammers can pretend to be trusted vendors or employees inquiring about payments or sensitive data.
- The scammers will email employees from embedded contact lists or even call them, earning their trust.
- When the targeted employee is out of reach, such as away on business, the cyber thief could send a fake email from his or her office, demanding that a payment be made to the trusted vendor’s account.
- With no way to verify if the email is authentic, the employee may make a hasty decision to approve the payment. Of course, the payment goes to the scammer and not the trusted vendor.
How do I know this is a BEC attempt?
- The e-mail requests the recipient to immediately initiate a wire transfer or unexpected purchase
- The sender address is a slight variation of a legitimate e-mail address, such as email@example.com vs. firstname.lastname@example.org
- The attacker will often pose as an executive level employee and target those in financial departments
- Wire transfer requests may coincide with actual executive travel dates, making the request less unusual
What is RIT doing to protect me?
- Rejecting e-mail from known spammers and malicious websites
- Ensuring email is coming from the server it claims to be from
- Implementing traditional anti-virus/anti-spam protection
- Quarantining suspicious messages sent via e-mail
- Restricting the ability of others to send from RIT email addresses belonging to high profile individuals
What can I do to protect myself?
- Verify all unexpected requests by calling or meeting with the person face-to-face
- Carefully check the sender address and the context/tone of the e-mail
- Report spam/phishing e-mails to email@example.com
- If you believe you may have been victimized by a Business Email Compromise, contact the ITS Service Desk. (585-475-4357)
For those that have replied to a BEC attempt, this is how to rectify the issue.
You receive a seemingly harmless email. Your boss is asking for some help. He usually doesn't email from his personal account, but this seems pretty urgent and you know he is out of the office today. To be helpful you respond right away simply saying you can help.
Thankfully after some time, you realize this was too fishy and report the BEC attempt to firstname.lastname@example.org. Done, right? No. The fake email will still be at the top of your autofill address bar.
Here is how to make sure your next email to your boss doesn't go to the attacker. Delete the email from your autofill options.
For those that use the Outlook Web App, while selecting the fake email, press the delete button on your keyboard.
For More Information
- FBI: https://www.fbi.gov/news/stories/business-e-mail-compromise-on-the-rise
- TrendMicro: https://www.trendmicro.com/vinfo/us/security/definition/business-email-compromise-(bec)
- BEC Video: PhishLine video about Business Email Compromise