Examples of business email compromises

Business email compromises (BEC) use social engineering techniques to manipulate unsuspecting employees into transferring funds or divulging sensitive information. According to the FBI, over 20,000 BEC scams were reported in 2021, making them an increasingly prevalent threat. 

Anatomy of a BEC scam

Gift card scams

One of the most common BEC tactics involves the use of gift cards. Threat actors often impersonate high-ranking executives and request that employees assist with the purchase of gift cards, ostensibly for corporate purposes. Once the employee provides the card numbers, the scammers swiftly drain the funds, leaving the organization to bear the financial burden.

Vendor impersonation

BEC scams frequently involve the impersonation of legitimate vendors or business partners. Cybercriminals may spoof email addresses, create convincing-looking invoices, and request urgent wire transfers to fraudulent accounts. 

Acquisition deception

During mergers and acquisitions, BEC attackers may seize the opportunity to infiltrate the process. They may impersonate employees of the target company or the acquiring firm, providing fake banking details and diverting funds intended for the transaction.

Executive impersonation

A hallmark of BEC scams is the impersonation of high-level executives, such as the CEO or CFO. Threat actors use the perceived authority and the sense of urgency to pressure employees into taking immediate action, often resulting in the transfer of funds to fraudulent accounts.

Phishing and credential theft

Many BEC scams commence with phishing attacks, where cybercriminals use deceptive emails to trick employees into revealing login credentials or downloading malware. Once the attackers gain access to corporate email accounts, they can launch targeted BEC campaigns, manipulating internal communications and financial processes.

Read more: What are Business Email Compromise attacks?

Victims of business email compromise

Tech giants succumb to BEC scams

Even the most prominent technology companies have fallen victim to BEC attacks. Ubiquiti, Facebook, and Google have all suffered significant losses, proving the pervasive nature of these scams and the need for security measures across all industries.

Charities and non-profits

Homeless charities, religious institutions, and children's healthcare providers have all been targeted, indicating the indiscriminate nature of BEC attacks.

Government entities

Government agencies and public sector organizations have also fallen prey to BEC scams. The government of Puerto Rico, a city in Utah, and a school district in Michigan have all experienced substantial financial losses due to these sophisticated attacks.

Small and medium-sized businesses

While high-profile incidents garner significant attention, smaller businesses are not immune to BEC scams. Real estate firms, construction companies, and even individual home buyers have been victims of these targeted attacks, showing the need for detailed security measures across organizations of all sizes.

Read also: Business email compromise: How to protect yourself 

The financial toll of BEC scams

Ubiquiti: A $46.7 million vendor fraud debacle

The networking company Ubiquiti fell victim to a BEC scam involving impersonating legitimate vendors, resulting in a $46.7 million loss. This incident shows the sophisticated tactics employed by cybercriminals and the devastating financial impact they can have on businesses.

Facebook and Google: A $121 million phishing heist

Even tech giants like Facebook and Google were not spared from the clutches of BEC scams. A perpetrator named Evaldas Rimasauskas allegedly impersonated an outside vendor, tricking the companies into sending over $121 million in wire transfers.

Scouler Co: A $17.2 million acquisition deception

During an acquisition process, the food science company Scouler Co. fell victim to a $17.2 million BEC scam. Hackers exploited the corporate email chain and convinced a controller to send funds to a fraudulent account, reiterating the vulnerabilities inherent in complex business transactions.

1. Ambrose Catholic Parish: A $1.75 million religious scam

Religious organizations are not immune to BEC attacks, as evidenced by the case of St. Ambrose Catholic Parish, which lost $1.75 million due to hackers tricking the church into believing that a construction firm had changed its bank account details.

Toyota: A $37 million international BEC assault

BEC scams can also be committed internationally, as evidenced by the $37 million loss suffered by Toyota due to a third-party hacker posing as a business partner and requesting funds be sent to a fraudulent account.

Perpetrators of business email compromise

Obinwanne Okeke: An $11 million global crime leader

Obinwanne Okeke orchestrated a multi-year, global BEC scheme that caused $11 million in losses. His team obtained details through phishing emails and captured login credentials, enabling them to send fraudulent wire transfer requests and attach fake invoices.

Noel Chimezuru Agoha and Accomplices: A $1.1 million scam network

A group led by Noel Chimezuru Agoha facilitated a $1.1 million BEC scheme against multiple victims by posing as representatives of companies with whom the victims had ongoing business relationships.

Guillermo Perez: A $2.2 million individual impersonation scheme

Guillermo Perez is accused of impersonating individuals and businesses over email in ordinary financial transactions, tricking victims into transferring funds into bank accounts controlled by him and his co-conspirators, resulting in $2.2 million in losses.

Protecting against business email compromise

Secure email clients

Migrating to a business-grade email client with security features, such as spam filtering, malware detection, and encryption, can greatly reduce the risk of BEC scams by preventing malicious emails from reaching employee inboxes.

Email monitoring software

Implementing email monitoring software that analyzes incoming and outgoing messages for suspicious red flags, like unusual sender addresses and keywords commonly used in BEC scams, can enable early detection and intervention before financial losses occur.

Data loss prevention tools

Deploying data loss prevention (DLP) tools that can identify and block the transfer of sensitive data, such as financial information or login credentials, can help prevent accidental leaks and deliberate attempts by compromised accounts.

Regular email password resets

Enforcing a policy of mandatory password resets at regular intervals, coupled with encouraging employees to create strong, unique passwords, can reduce the risk of unauthorized access to corporate email accounts.

Employee awareness and training

Educate employees on the tactics and red flags associated with BEC scams, and train them to exercise caution with unsolicited requests, verify sender addresses, and avoid clicking on suspicious links or attachments.

Multi-factor authentication

Implementing multi-factor authentication (MFA) for email logins adds a layer of security, requiring users to provide a unique code, typically sent via text message or generated by an authentication app, in addition to their password. If a scammer does acquire a user’s login credentials, MFA means they still won’t be able to access the email.

Related: Safeguarding against BEC attacks in healthcare 

Our suggestion: Paubox ExecProtect

Paubox ExecProtect is a specialized email security solution designed to address targeted phishing attacks, known as spear-phishing. Paubox ExecProtect specifically protects executive-level email accounts, which are common targets for hackers due to their high-level access and authority. The system uses advanced algorithms and filters to detect and block phishing attempts, including domain name spoofing, where attackers mimic a legitimate domain to trick recipients.

Learn more: HIPAA Compliant Email: The Definitive Guide

FAQs

What is a BEC attack and why is it dangerous for healthcare organizations?

A BEC attack is when cybercriminals gain control of a business email account to trick others into sending sensitive information or money. It's dangerous for healthcare because it can expose protected health information (PHI), disrupt operations, and cause financial losses.

What are the common tactics for cybercriminals in BEC attacks targeting healthcare organizations?

Cybercriminals use tactics like phishing emails, spoofed email addresses, and social engineering. They often target executives, finance departments, and administrators, posing as trusted contacts to deceive them into sharing information or making unauthorized transactions.

How can healthcare organizations identify potential BEC attacks?

Healthcare organizations can spot BEC attacks by looking for unexpected requests for sensitive information or money, slight variations in email addresses, and urgent or pressuring messages. Using advanced email security tools and training employees to recognize suspicious emails are also imperative.

What steps should a healthcare organization take if it falls victim to a BEC attack?

Steps to take include:

• Immediate containment: Disconnect the compromised account.
• Notification: Inform affected parties and stakeholders.
• Investigation: Determine the breach's extent and identify compromised data.
• Recovery: Secure the network, restore systems, and strengthen security.
• Reporting: Report to authorities and comply with legal requirements.