Business Email Compromise
Business email compromise (BEC) attacks are a form of social engineering cyber crime which use email fraud to attack commercial, medical, government and non-profit organizations to entice someone within the organization to do the bidding of the attacker. Examples include invoice scams and spear phishing spoof attacks which are designed to gather data for other criminal activities. Consumer privacy breaches often occur as a result of business email compromise attacks.
- A vendor your company regularly deals with sends an invoice with an updated mailing address.
- A company CEO asks her assistant to purchase dozens of gift cards to send out as employee rewards. She asks for the serial numbers so she can email them out right away.
- A homebuyer receives a message from his title company with instructions on how to wire his down payment.
Versions of these scenarios happened to real victims. All the messages were fake. And in each case, thousands—or even hundreds of thousands—of dollars were sent to criminals instead. In 2020, the FBI received 19,369 Business Email Compromise (BEC)/Email Account Compromise (EAC) complaints with adjusted losses of over $1.8 billion.(Source: IC3 2020 Annual Report).
Alaris Threat Management Consultants can help train your employees so they do not fall prey to threat actors. We also can provide your firm with social engineering exercises to ensure that you and your employees are aware of new threats.
Can’t Even Trust the Bank
Bank of America employee Mouaaz Elkhebri, of Alexandria, Virginia, is alleged to have exploited his position at the banks to help scam five businesses out of more than $1.1 million. According to prosecutors, Elkhebri’s alleged role in the plot was to open multiple bank accounts that pretended to belong to legitimate companies, as well as accounts for other members of the gang, circumventing the banking industry “know your customer” laws. Another member of the gang tricked firms into transferring funds into the bogus bank accounts. This effort included the employment of lookalike domains to make email communications to targeted companies from supposed suppliers seem to be authentic.
Cases like this can act as a timely reminder for organizations to employ the training systems within the Alaris service to ensure that their staff understands and avoids the risks of BEC.