Yes, another “jargon” word – BEC, or Business Email Compromise, is a cyberattack where bad actors (hackers) pretend to be legitimate people with legitimate business email addresses – YOUR business email address, perhaps. The bad guys could be sending real emails from your real email account without your knowledge, or they may have set up an email account that impersonates your email address. Either way, they’re using YOUR powers and reputation for THEIR gain.
Does BEC really happen that often?
With an average cost to businesses of $5.01 million per breach, it’s no surprise that the FBI has named Business Email Compromise (BEC) a “$26 billion scam,” and the threat is only increasing. Simply put, Business Email Compromise (BEC) attacks use real or impersonated business email accounts to defraud employees. In 2021, BEC scammers made over $1.8 billion – far more than via any other type of cybercrime.
The victim of a BEC attack receives an email that appears to come from a trusted business associate or business partner. The email looks and feels genuine. But it typically contains a phishing link, a malicious attachment, or a request to transfer money to the attacker.
Imagine this scenario at your business. The CEO walks in (you?) and the CFO says “Hey, I got that transfer done yesterday you asked for.” You look puzzled. “What transfer?” The CFO responds, “For the business you said we are acquiring. You sent me an email yesterday asking me to transfer $25,000 as the down payment. I did that and got it done before close of business yesterday.” You gulp. You gulp again. “I didn’t send any email.”
You’ve just experienced a cyberattack – and, in this example, it cost you $25,000. Maybe your cyber insurance will cover it. Maybe not. (See our post on cyber insurance for more information on what can influence what gets covered.)
Every day – to businesses of all sizes
Let’s look at the biggest known BEC scam of all time: a VEC attack against tech giants Facebook and Google that resulted in around $121 million in collective losses. The scam took place between 2013 and 2015 — and the man at the center of this BEC attack, Evaldas Rimasauskas, was sentenced to five years in prison in 2019.
So how did some of the world’s most tech-savvy employees fall for this elaborate hoax? Rimasauskas and his associates set up a fake company named “Quanta Computer” — the same name as a real hardware supplier. The group then presented Facebook and Google with convincing-looking invoices, which, yes, Facebook and Google duly paid – to bank accounts controlled by Rimasauskas.
As well as fake invoices, the scammers prepared counterfeit lawyers’ letters and contracts to ensure their banks accepted the transfers. The Rimasauskas scam stands as a lesson to all organizations. If two of the world’s biggest tech companies lost millions to BEC over a two-year period — it could happen to any business.
But that’s a BIG business and no one would look to my small business, right?
Wrong! I’ve seen too many organizations lose $40 to $150k in one single BEC scam.
Recently, a 30-person general contractor firm was taken for $150,000. They realized it was a fraudulent transaction within an hour of initiating the wire and contacted their bank. The bank attempted to retrieve the funds, but they had already been moved overseas and they could not get them back. The company was out the $150,000.
But, no worries, they had cyber insurance! Yes! Not so fast. Their insurance policy has a “human error” clause that limited the coverage liability to 10%. This one incident ended up costing a small business $135,000 in cash! This is a life-changing loss for any small to mid-sized business.
Scammers don’t care how big or small you are
So, while the dollar amounts might be larger with big business, the scammers don’t care! They will take whatever they can from anyone not being vigilant. Quite frankly, the number of small businesses far exceeds the number of giant businesses, as you know, and small businesses are likely to be LESS vigilant – so it’s a target-rich environment. It’s up to you to do what it takes to avoid being a target.