BEC Scams: What You Need to Know!

As we get deeper into October, which is National Cybersecurity Awareness Month, the need for proper cyber hygiene measures is more apparent than ever. Since the onset of the pandemic and the spike in remote work, cyber threats and attacks such as Business Email Compromise (BEC) scams have also been steadily on the rise, making it imperative that your business stay up to date on ways to stay protected and vigilant.

BEC scams have been growing in popularity for some time now. If you’re not familiar with BEC, it’s when a fraudulent email is sent to a company or individual, and the email appears to be from a legitimate business resource or person. The scammer’s address is often varying from the legitimate email address by just a letter or two. There may be instructions within the scam email for the recipient to transfer money, purchase gift cards, click on a malicious link, or send other information that the scammer may not have access to, such as cell phone numbers. Usually, BEC scams deceive the recipient because they see the familiar name or title of the sender and react quickly or hesitate to question authority.

According to a recent report from Barracuda, a cybersecurity company, these cybercriminals’ method to target their victims is surprisingly simple and straightforward: legitimate email accounts.

Barracuda found that hackers launched 100,000 BEC attacks on over 6,000 organizations by using 6,170 legitimate email accounts (which, of course, were created with malicious intent). Among these accounts are names like Gmail, AOL, and other verified email services.

The report further outlines the attacks’ details, identifying that 45% of the BEC scams since April of 2020 were carried out with these email accounts. It appears that Gmail is the platform of choice, with 59% of the accounts originating there. This can probably be credited to the cost to create an account (it is free), the ease of registration of a new account, and the solid reputation that a company like Google carries – meaning it is much more likely to pass through security filters.

While the email account the attacker uses will remain the same, the sender’s name typically gets updated from time to time to go unnoticed by the recipient. These accounts are not often used for more than 24 hours before they go dormant to lessen suspicion, or if it has been flagged already, to reduce the likelihood of being detected by another server. That doesn’t mean it goes away forever.

As previously stated, BEC scams are not new. They are just a small ‘subdivision’ of the much bigger phishing issue – the single most used point of entry to a company to breach the data contained within the business infrastructure. With the cost of certain cybersecurity measures being minimal and return on investment potentially paying off very quickly, the risk far outweighs the benefits’ cost.

Ongoing training is one of the best ways to arm employees and clients with the right tools and knowledge to detect and recognize a variety of phishing attacks. Bravo provides the tools and expertise to ensure that your business is benefiting from the best security practices for today’s environment. There’s no better time to get started than now! 

Speak with a Cybersecurity Expert Today