So let’s start with the basics. What is BEC?
Business Email Compromise (BEC) is a type of scam in which criminals use email fraud to target victims. The scammer pretends to be a high-level member of your company, usually a CEO or partner, and requests urgent payments or information.
And why should you care?
Well, these kinds of attacks have been on the rise significantly. They increased 29% in 2021, and as many as 98% of employees fail to report the threat, either due to not recognising the scam or feeling embarrassed or scared to admit to their mistake.
An article published by The Guardian last year, revealed that more than £1.3bn was stolen by scammers in 2021 through authorised push payment fraud (APP), of which 40% was BEC scams.
The article reports: “There were 461 CEO fraud cases last year, a jump of 29%, with losses increasing 165% to £12.7m.”
How does BEC work?
BEC attacks are usually well-crafted and sophisticated, making it difficult to identify them. The attacker first researches the target organisation and its employees. They gain knowledge about the company’s operations, suppliers, customers, and business partners.
Much of this information is freely available online, on sites like LinkedIn, Facebook, and organisations’ websites. Once the attacker has enough information, they can craft a convincing email designed to appear to come from a high-level executive or a business partner.
Consider your own LinkedIn profile, perhaps a scammer could write to you posing as your CEO, congratulating you once more for your promotion, asking how the networking event went last week, or acknowledging your recent certification. They could even imitate your CEO’s tone of voice by visiting their LinkedIn profile.
This initial email could be enough to convince you it’s legitimately them, and once you’ve responded, the scammer could then move on to send a more urgent email, requesting you make a payment or transfer funds. The email will usually emphasise the request being for an urgent and confidential matter, like a new business opportunity, a vendor payment, or a foreign tax payment.
The urgency of the request could impact your judgment and make you feel stressed, so you send the money without questioning the legitimacy of the email.