Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Business email compromise (BEC) attacks happen when someone uses email to pose as a legitimate, trusted source to commit fraud, for example, by submitting fictitious invoices for payment after changing
the bank account number for a supplier. Some of the most common and damaging examples include fake invoicing, fraudulent routing number change requests and fake payment requests from executives.
The best ways to prevent/mitigate such attacks include requiring verification through external channels; implementing new, more stringent verification processes; educating users to recognize specific red flags (e.g., unusual, or extremely urgent requests);
and deploying digital signatures for email.
This piece provides an overview of BEC attack methods and best practices to help detect and prevent this type of email fraud and spoofing.
There is a growing, wide variety of specific phishing attacks targeting all industry sectors in business. A BEC attack is a form of social engineering and a subset of spear-phishing.
Some of the most common and damaging BEC attacks include fake invoicing, routing number change requests and fake payment requests from executives.
Fake invoicing happens when phishers pose as an existing vendor or supplier and send requests for payment of invoices to accounts payable.
READ: 10 Ways to Identify a Phishing Email
Similar to the invoicing example, this happens when a supplier or vendor requests a routing number change. This potentially has more impact than the invoicing example because it’s more “permanent.”
A common phishing scam is to impersonate a trusted executive with authority to request financial transfer of funds (see Figure 1). The request could be for a variety of reasons, including vendor/supplier payments, new projects, bonus pool fund allocation,
expense reimbursements, stock or other trusts, etc.
Consider using the following best practices to help mitigate BEC attacks.
READ: How to Create an Effective Anti-Phishing Program
BEC attacks are easy to fall for and hard to detect but there will usually be red flag indicators to help mitigate attacks. Performing regular security risk assessments and keeping both anti-phishing tools along with risk mitigation plans updated helps
to build effective anti-BEC programs. Individuals are the vulnerable link in BEC attacks, and organizations should offer consistent education, training and simulations to help employees recognize and report potential BEC attacks.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
February 29, 2024
By IANS Research
Access key data sets from the 2023 -2024 IANS and Artico Search’s Cybersecurity Staff Compensation Benchmark Report. Gain valuable insights on cybersecurity staff roles to hire and retain top security talent.
Access key data from IANS and Artico Search’s Compensation, Budget and Satisfaction for CISOs in Financial Services, 2023-2024 report. Find valuable insights around the Financial Services CISO role to help better understand your situation, improve job satisfaction and drive organizational change.
February 21, 2024
Learn why cloud IR is critical to security and not just another box to check. Find guidance to get started building a strong cloud IR program.