BEC scam is a form of cybercrime. It is particularly sophisticated as it is difficult for victims to detect, and targets large, medium and small businesses alike.
How does a BEC scam work?
The abbreviation BEC stands for Business Email Compromise, which means compromising or manipulating business emails. This is already the core of the scam: Fraudsters intercept business emails. What is particularly dangerous, however, is the sophisticated and frighteningly patient approach.
- In BEC scam, cybercriminals gain access to a company’s email provider, specifically a person such as the CEO or head of accounting.
- They read the business email traffic and that’s where the cunning fraud already starts: they learn which words the person likes to use, how they construct their sentences and with which greetings they say goodbye.
- So the scammers learn to imitate the person perfectly in their correspondence. Then strike.
- They intercept emails from the person or write emails to business partners in the person’s name. The emails look deceptively real: They contain the same logos as the official mails and seem to come from the person with whom the business partners are already in contact all the time anyway.
- In the business emails, the criminals either ask for an urgent payment or tell the partners that the account details have changed in order to receive the transfer themselves.
- The phished person does not notice this at first. The scammers delete the emails going out from them and are the ones who communicate with the business partner most of the time.
- It is only when the legitimate parties get angry about unpaid bills or the accusations about them that it comes out that there must be a security problem.
How can you protect yourself from the cyber criminals?
Soon in 2019, the Federal Bureau of Investigation released information that companies of various sizes were defrauded of $26 billion by BEC scams. The number of perfidious scams continues to rise. It’s important to protect yourself from BEC scams and act quickly should you suspect fraud.
- Always use 2-factor identification for your email accounts and banking accounts. While this doesn’t make it impossible to gain access to your email provider, very few cybercriminals even have the technical means to do so.
- You may know that you can protect yourself from phishing by checking for pixelated or fake logos, as well as spelling in emails. Unfortunately, most BEC scammers are too smart to make such rookie mistakes. However, it never hurts to take a closer look at the email.
- Always pay close attention to the email address for large and important payment requests. Is a letter suddenly capitalised? Is there an extension like .ru hanging behind the email address? That is reason enough to contact your business partner again – ideally by telephone or call with webcam
- Changes in bank details are a red flag. Pay special attention to the sender or ask again by phone call or internet call if the change is correct.
- If e-mails from your partner suddenly end up in spam or you receive information from your e-mail provider that suspicious activity has been detected, inform the business partner concerned and emphasise that the fraudsters are often invisible to the victims concerned. You can suggest to check your alleged email traffic, because the criminals delete the mails that the phished person is not supposed to know about.
- Are you surprised that a business partner claims to have paid, but nothing happens in your account? Or have you made a transfer but the money never arrived? These are alarm signs for the BEC scam. Contact your bank immediately and get the transfer back while you still can.
- Report the fraud or attempted fraud to the police.