Did Your Boss Send that Email?

Solving IT Challenges in Non Profit Sectors and How

According to studies performed by the Anti-Phishing Working Group, business email compromise scams (BEC) are increasingly prevalent. BEC is a tactic in which cybercriminals impersonate a figure of authority in the company, such as the CEO, and request an action item or information which can result in leaking sensitive information or financial loss. The average successful BEC attack loss totaled $75,000 as of 2020.

A common BEC attack scenario is an email appearing to be sent by a senior executive to his/her administrative assistant requesting the purchase of high-dollar gift cards using a company credit card. Another example is a HR representative receiving an email from an imposter claiming to be the CEO requesting employees’ social security numbers. An even more alarming version of a BEC attack is when cybercriminals gain access to an organization’s domain and send emails to clients or vendors. If this happens, it can result in reputational damage and loss of customers.

In 2019, Toyota Boshoku Corporation became one of the most high-profile BEC attack victims. The attacker impersonated a legitimate vendor and requested payment immediately or risk production disruption. The trick was successful. $37,000,000 was transferred to the criminals. There are numerous instances of this type of social engineering scam working on businesses of all sizes.

If you are a victim of a BEC scam, the FBI suggests taking these steps: 

  • Contact the originating bank and request a wire recall
  • Immediately file a complaint with www.ic3.gov
  • Save all messages and evidence associated with the incident

First steps to prevent a BEC attack:

  • Enlist your IT department to flag emails coming from outside of your organization.
  • Always verify sensitive requests with a phone call.
  • Provide training to all members of your staff.
    • Education of historical tactics and how to identify cybercriminals’ social engineering scams.
    • Send simulated phishing emails so you can identify who is most vulnerable and in need of further training.