What is a BEC? Hint: It Bites, Hard
April 19, 2016 by Bill Rosenthal

A few weeks ago, I wrote about the trend of criminals using counterfeit email messages to dupe employees into providing private information and files. The technique involves sending an authentic-looking message to an employee the criminal has targeted and extensively researched. In the blog post, I wrote about a case in which the spoofed message requested all the employee W-2 forms. But there are other variations as well.

Computerworld recently ran a story about an FBI alert that put a number on the size of this problem: $2.3 billion. That’s the amount of losses incurred by businesses to scams like this from October 2013 through February 2016. That’s 17,642 cases!

Note that this is not ransomware or network penetration. It’s a case of criminals simply asking for something and, because they ask for it in the right way, they get it. Sometimes they even eliminate additional work for themselves and just ask for money. According to the FBI, “The schemers go to great lengths to spoof company e-mail or use social engineering to assume the identity of the CEO, a company attorney, or trusted vendor. They research employees who manage money and use language specific to the company they are targeting, then they request a wire fraud transfer using dollar amounts that lend legitimacy.” 

Over the past 16 months, the FBI has seen a 270% increase in cases like this. The problem is so common that the FBI has given it a name: “business e-mail compromise” (or BEC) scam. The Bureau also put out a public service announcement about it. That announcement included this description of the latest BEC scam model: “Victims report being contacted by fraudsters, who typically identify themselves as lawyers or representatives of law firms and claim to be handling confidential or time-sensitive matters. This contact may be made via either phone or e-mail. Victims may be pressured by the fraudster to act quickly or secretly in handling the transfer of funds. This type of BEC scam may occur at the end of the business day or work week or be timed to coincide with the close of business of international financial institutions.”

The FBI offers a half dozen solid suggestions for protecting your business from BEC scams, and I recommend you visit the public service announcement and check out those tips. But I wanted to add another tip for you: Administer the CyberSAFE Readiness Test to your employees, particularly those who manage money. We developed this test for use by businesses to determine just what kind of training their employees need in order to have the judgment needed to handle the sorts of spoofed messages you find in a BEC scam. The test is free, but it would be a bargain at almost any price. In our launch of it, less than 10% of participants who took the test passed it. If you think you can’t be victimized by a BEC scam, you’re probably mistaken. 

I can’t guarantee the test will prevent your victimization by a BEC scam, but I do know it’s a good place to start in your campaign of self-defense. I suspect the 17,642 victims who have been hit thus far would wish they’d had access to it.

For more information about the CyberSAFE Readiness Test and to receive access to the test at no charge, please contact us at +1.800.889.8350 or insidesales@logicaloperations.com.