Page 69 - Cyber Defense eMagazine Special RSA Conference Annual Edition for 2022
P. 69
What is Business Email Compromise?
A Guide to CEO Fraud
By Shanna Utgard, Senior Cyber Advocate, Defendify
"URGENT - Are you available? I need you to take care of a pending invoice from one of our contractors.
I'm in a meeting and can't talk, but we have to handle it ASAP."
You may have received a message like this or know someone who has. This is an example of a specific
type of spear-phishing attack known as Business Email Compromise (BEC) that targets individuals with
access to sensitive or financial data.
Cyber attackers use evolved social engineering techniques to take advantage of human interactions to
manipulate employees into breaking standard security procedures or ignoring best practices. Even with
traditional cybersecurity measures in place, these cybercriminals can gain unauthorized access to an
organization's systems, networks, and information through its employees, often without their knowledge.
How Cyber Criminals Leverage Research and Social Engineering
The FBI defines BEC as a "sophisticated scam targeting businesses working with foreign suppliers
and/or businesses that regularly perform wire transfer payments. The above is an example of a CEO
impersonation scam, a growing type of BEC attack that attempts to trick employees into thinking a high
official at their company needs them to send money – and fast.
Also called CEO fraud, this tactic relies on a sense of urgency and authority while playing off employees'
desire to be helpful and do a good job. According to the FBI Internet Crime Complaint Center's (IC3) 2021
Internet Crime Report, BEC schemes were the costliest type of attack, with an adjusted loss of
approximately $2.4 billion last year.
69