Tech Insight : What Are ‘BEC Campaigns’?

Written by Pronetic

Pronetic is a leading provider of core IT support for ISO 27001, Cyber Essentials and Cyber Essentials Plus compliance.

October 12, 2022

In this insight, we look at what BEC campaigns are, their characteristics, together with what businesses can do to protect themselves from the threat of BEC campaigns. 

What Is A BEC Campaign? 

A business email compromise (BEC) campaign is a kind of text-based, impersonation, social engineering scam where, in most cases, the victim is forwarded an email threat that appears to originate from their boss. The email is given legitimacy by appearing to be a thread between a partner company, a customer, or an organisation in the supply chain so that it will be recognised by the target. The email instructs the victim, e.g. someone in the finance department of the business to transfer funds (wire transfer / BACs payment) into an account which is actually that of the scammers. 

Types 

In the US, for example, the FBI has defined 5 main types of BEC campaign, which are: 

– CEO Fraud: The attackers impersonate the CEO or an executive at the company and target an individual in the finance department. 

– Account Compromise: This is where an employee’s email account is hacked/compromised and used to request payments. 

– False Invoice Scheme: Mostly targeting foreign suppliers, this method sees the scammer impersonating a supplier to request fund transfers to fraudulent accounts. 

– Attorney (Lawyer) Impersonation: As the name suggests, the attacker impersonates a lawyer or legal representative, targeting, for example, lower-level employees because they may be more unlikely to question the validity of the request. 

– Data Theft: Targeting HR employees, the motive is to obtain personal or sensitive information about company personnel, e.g. CEOs and executives that can be used as part of future attacks (such as CEO Fraud). 

Sometimes Uses Domain Spoofing 

BEC campaigns also sometimes use domain spoofing and lookalike domains to trick the targeted employees. 

EAC Often Related To BEC 

It is often the case that email account compromise (EAC) enables the BEC, i.e. gaining control of a legitimate company email account makes it possible to launch convincing BEC campaigns. 

Difficult To Detect 

One reason why BEC campaigns are so difficult to detect, e.g. using antivirus, is because they don’t often contain red flags such as malicious links or attachments. 

How To Guard Against BEC Campaigns 

Some ways that businesses can defend themselves against the threat of BEC campaigns include: 

– Briefing and training staff about the nature of the threat and the different types of well-known BEC campaigns. For example, staff should be informed of the indicators of a possible BEC campaign, e.g. high-level company executives asking for unusual information, being asked not to communicate with others about requests, any requests that would bypass the usual channels, spelling and grammar inaccuracies in the emails, and email domains and “Reply To” addresses that don’t match sender’s addresses. 

– Ensure that company email security is robust, and that staff are aware of how to avoid risky behaviour with emails, e.g. clicking on unusual links, downloading attachments, or password sharing. 

– Encouraging employees to trust their instincts and, if they have the slightest doubt, let them know that it’s OK to seek help and advice. Attackers often rely upon targeting victims at busy times of the day and making requests sound very urgent, so employees need to know that stopping to check and slowing things down is a good idea. 

– Having a clear, blanket procedure in place for any such requests that seeks verification from designated managers who are well-informed about this type of fraud and have the confidence and authority to check and challenge. 

What Does This Mean For Your Business? 

Since this type of campaign is difficult to spot with automated solutions (e.g. antivirus) and relies upon human error to work, a human-centred approach to protection, such as employee training and the communication of clear blanket policies about this type of question/request/instruction that prevent any circumvention are a wise move for businesses. As with all social engineering, the criminals are using methods designed to suspend normal judgement, and force an emotional reaction before reasoned, critical decision-making can happen. Really knowing the signs (through training), slowing things down, feeling as though they will be supported by managers, and not being afraid to ask others and stick to the policy are ways in which staff can be empowered to defend the company’s security in the face of the threat of BEC campaigns. 

You May Also Like…

0 Comments

Why Choose Pronetic

We Are ISO 27001 & Cyber Essentials Plus Certified

Be reassured that we have been externally audited. You can have complete peace of mind that the team managing your IT systems and safeguarding your data are independently vetted annually.

Seamless & Comprehensive IT Support

Our investment in people, tools and processes, continuously improved, ensures that we don’t just deliver exceptional I.T. support but include your compliance to Cyber Essentials or ISO 27001 “baked-in”. Yes, that means no more annual headaches and stress when your certification comes round.

Expert Support Money Back Guarantee

We're confident in the value we deliver. That's why we offer a 90-day, no-quibble money-back guarantee. If, for any reason, you're not completely satisfied with our IT support services, we'll provide a full refund and cancel your contract without any hassle.

Book Your Free IT Strategy Call Now!

Simply Fill In The Form Below To Receive Your Free IT Strategy Call:

By submitting this form, you consent to us using your personal information to contact you. For more information please see our privacy policy.