Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Business email compromise (BEC) attacks happen when someone uses email to pose as a legitimate, trusted source to commit fraud, for example, by submitting fictitious invoices for payment after changing
the bank account number for a supplier. Some of the most common and damaging examples include fake invoicing, fraudulent routing number change requests and fake payment requests from executives.
The best ways to prevent/mitigate such attacks include requiring verification through external channels; implementing new, more stringent verification processes; educating users to recognize specific red flags (e.g., unusual, or extremely urgent requests);
and deploying digital signatures for email.
This piece provides an overview of BEC attack methods and best practices to help detect and prevent this type of email fraud and spoofing.
There is a growing, wide variety of specific phishing attacks targeting all industry sectors in business. A BEC attack is a form of social engineering and a subset of spear-phishing.
Some of the most common and damaging BEC attacks include fake invoicing, routing number change requests and fake payment requests from executives.
Fake invoicing happens when phishers pose as an existing vendor or supplier and send requests for payment of invoices to accounts payable.
READ: 10 Ways to Identify a Phishing Email
Similar to the invoicing example, this happens when a supplier or vendor requests a routing number change. This potentially has more impact than the invoicing example because it’s more “permanent.”
A common phishing scam is to impersonate a trusted executive with authority to request financial transfer of funds (see Figure 1). The request could be for a variety of reasons, including vendor/supplier payments, new projects, bonus pool fund allocation,
expense reimbursements, stock or other trusts, etc.
Consider using the following best practices to help mitigate BEC attacks.
READ: How to Create an Effective Anti-Phishing Program
BEC attacks are easy to fall for and hard to detect but there will usually be red flag indicators to help mitigate attacks. Performing regular security risk assessments and keeping both anti-phishing tools along with risk mitigation plans updated helps
to build effective anti-BEC programs. Individuals are the vulnerable link in BEC attacks, and organizations should offer consistent education, training and simulations to help employees recognize and report potential BEC attacks.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
September 19, 2023
By IANS Faculty
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.
September 14, 2023
Learn how to use a three-step approach to defending and managing public and private APIs while avoiding common mistakes.
September 12, 2023
Understand the main differences between first- and second-gen SAST tools and learn how to determine which will work best for your environment.