Business Email Compromise
Business email compromise (BEC) is a type of phishing scam where the attacker impersonates or compromises an executive's email account to manipulate the target into initiating a wire transfer or to give away sensitive information.
The attack relies heavily on spear phishing and social engineering. It often targets individuals that conduct purchasing, have other fiduciary responsibilities, or handle sensitive company information.
How do BEC scams work?
- BEC scams often start with a phishing email intended to obtain unauthorized access to targeted employee's account.
- The attacker may exchange a series of emails the targeted employee in order to build a trusted relationship. Even though these emails do not normally contain links or attachments, they still pose a risk by connecting the attacker to internal sources.
- Scammers can pretend to be trusted vendors or employees inquiring about payments or sensitive data.
- The scammers will email employees from embedded contact lists or even call them, earning their trust.
- When the targeted employee is out of reach, such as away on business, the cyber thief could send a fake email from his or her office, demanding that a payment be made to the trusted vendor's account.
- With no way to verify if the email is authentic, the employee may make a hasty decision to approve the payment. Of course, the payment goes to the scammer and not the trusted vendor.
How do I know this is a BEC attempt?
- The email requests the recipient to immediately intiate a wire transfer or unexpected purchase.
- The sender address is a slight variation of a legitimate email address. Such as firstname.lastname@example.org vs. email@example.com.
- The attacker will often pose as an executive level employee and target those in financial departments.
- Wire transfer requests may coincide with actual executive travel dates, making the request less unusual.
What is RIT doing to protect me?
- Rejecting email from known spammers and malicious websites.
- Ensuring email is coming from the server it claims to be from.
- Implementing traditional anti-malware and anti-spam protection.
- Quarantining suspicious messages sent via email.
- Restricting the ability of others to send from RIT email addresses belonging to high profile individuals.
What can I do to protect myself?
- Verify all unexpected requests by calling or meeting with the person face-to-face.
- Carefully check the sender address and context or tone of the email.
- Report spam and phishing emails to firstname.lastname@example.org.
- If you believe you may have been victimized by a BEC, contact the RIT Service Center (585-475-5000).
Correcting Outlook Autofill
After replying to a BEC attempt, the fraudulent address is now cached in Outlook and may be autofilled the next time you try to send to the legitimate sender.
For those that have replied to a BEC attempt, this is how to correct the problem with Outlook autofill.
You receive a seemingly harmless email. Your boss is asking for some help. He usually doesn't email from his personal account, but this seems pretty urgent and you know he is out of the office today. To be helpful you respond right away simply saying you can help.
Thankfully after some time, you realize this was too fishy and report the BEC attempt to email@example.com. Done, right? No. The fake email will still be at the top of your autofill address bar.
Here is how to make sure the next email you send to your boss doesn't go to the attacker. Delete the email from your autofill options.
For those that use the Outlook Web App, while selecting the fake email, press the delete button on your keyboard.
For More Information
- FBI: https://www.fbi.gov/news/stories/business-e-mail-compromise-on-the-rise
- TrendMicro: https://www.trendmicro.com/vinfo/us/security/definition/business-email-compromise-(bec)
- BEC Video: PhishLine video about Business Email Compromise
- Gift Cards and Business Email Compromise attacks https://www.agari.com/email-security-blog/gift-cards-emerging-bec-method/