Security Awareness: Business Email Compromise Attacks

Security Awareness: Business Email Compromise Attacks

By Rebecca Tague, Security Analyst

25 Jan, 2023

This is the third blog in our three-part series on security. Check out Security Awareness: Cybercrime Gangs to State-Sponsored Hacks and  Security Awareness: FIDO (Fast Identity Online) Authentication for more on the topic. 

In August of 2022, the City of Lexington, Kentucky, was defrauded of $4 million in federal funds intended for housing assistance. The city had sent the funds to what they thought was the nonprofit Community Action Council. However, it became apparent that something was wrong when the nonprofit reported having never received the funds.

This is one of the latest examples of a popular cyber attack called business email compromise (BEC). In these attacks, the fraudster impersonates an employee or a business to socially engineer the victim into paying an invoice from a seemingly trusted source. In this example, the fraudster had impersonated the Community Action Council and had sent the City of Lexington an invoice for the funds. Because this was something the city was expecting, and it seemed that it was legitimate, the city may have just paid the invoice as a matter of course. Little did it know, these funds were then transferred to a private bank account and the true nonprofit did not receive a penny.

According to the FBI's Internet Crime Report, BEC compromises were the leading source of fraud in 2021. Last year, the bureau had estimated a $2.4 billion in losses from this kind of attack. To put that in perspective, the second source of fraud in 2021 was investment scams, coming in at around $1.5 billion in estimated losses. Facebook, Google, Toyota, and the Government of Puerto Rico have all been victims of this type of attack in the past few years.

BEC attacks are becoming widespread due to their effectiveness. They're all about using social engineering and psychological tricks to manipulate their victim's mind in order for them to comply with the attacker's request. With all that being said, there are a few ways to minimize your attack surface when it comes to BEC attacks:

  • Verify email addresses for even the slightest discrepancies
  • Check for any changes in the recipient account number or payment processing procedures
  • Build backchannels of communication so sensitive requests can always be verified
  • Never open an email attachment from a sender you don't recognize

There is no silver bullet when it comes to security. As new security technologies and protections arise, bad actors are constantly looking for ways to socially engineer and circumnavigate these tools. But by staying vigilant and aware, we can make sure to lessen the chances of their success.

Relevant Resources
Learn more about Q2's fraud, risk and compliance solutions

Sources
https://www.scmagazine.com/brief/email-security/feds-kentucky-city-probe-4m-bec-attack-theft

https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf (page 9)

https://www.tessian.com/blog/business-email-compromise-bec-examples/

https://report.woodard.com/articles/7-ways-to-secure-your-firm-from-business-email-compromise-bec-attacks-p8btwr