<p>Mike is just like any other eager new employee when he receives an urgent email from his boss. In the email, she explains that she’s at dinner with an important client and forgot her corporate credit card. She needs to pay for the meal now, without delay. She instructs Mike to send her his company-issued credit card information and explains that she’ll approve the expense the next day.</p>
<p>While a message like this might raise a red flag, the email certainly seems to be from his supervisor and, after all, Mike wants to show that he’s a team player.</p>
<p>This scenario demonstrates why business email compromise, or <a href=”https://www.techtarget.com/whatis/definition/business-email-compromise-BEC-man-in-the-email-attack”>BEC</a>, is<i> s</i>uch a serious threat. The tactic is nefarious for prompting action due to its urgency and the psychology of workplace hierarchy. More complex than traditional <a href=”https://www.techtarget.com/searchsecurity/feature/How-to-avoid-phishing-hooks-A-checklist-for-your-end-users”>phishing campaigns</a>, BEC attacks are highly targeted and difficult to detect. These threats exploit the core vehicle for modern business communication and corporate trust: email.</p>
<p>A thorn in the side of SecOps teams for years, BEC attacks are growing increasingly common as they prove to be lucrative schemes for both independent and <a href=”https://www.techtarget.com/searchsecurity/feature/What-executives-must-know-about-nation-state-threat-actors”>state-sponsored cybercriminals</a>. With education, vigilance and the right security measures, however, BEC is a highly preventable type of cyberattack.</p>
<section class=”section main-article-chapter” data-menu-title=”What is business email compromise?”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>What is business email compromise?</h2>
<p>BEC is a coordinated cyberattack that specifically targets organizations by exploiting email communications to employees through impersonation and social engineering. The objective of BEC is to trick employees into transferring money, sharing confidential information or permitting system access to cybercriminals. Unlike more generalized phishing schemes, BEC relies on psychology and workplace norms to deceive the email recipients.</p>
<p>At its core, BEC involves attackers impersonating company executives, authority figures, colleagues and business stakeholders within the organization, and communicating through company email access or by spoofing legitimate business email accounts. The sender requests wire transfers, payroll changes, payment arrangements, passwords or other confidential data. BEC is effective because the messages are unexpected, appeal to our professionalism, and carry the added weight of urgency and legitimacy.</p>
</section>
<section class=”section main-article-chapter” data-menu-title=”BEC attack threat severity”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>BEC attack threat severity</h2>
<p>Most organizations consider BEC a high-severity <a href=”https://www.techtarget.com/searchsecurity/feature/10-types-of-security-incidents-and-how-to-handle-them”>security threat</a> due to its complexity, difficulty in detection and potential for financial loss. The FBI’s “Internet Crime Report 2024″ <a target=”_blank” href=”https://www.ic3.gov/AnnualReport/Reports/” rel=”noopener”>recorded</a> more than 21,000 BEC incidents, resulting in almost $2.8 billion in losses.</p>
<p>Tasked with responding to BEC incidents and assessing business impact, security teams must align internal severity levels with the potential financial and operational implications of a successful attack. Despite BEC incidents being at high- to critical-severity levels, lower-level exploits can also pose a significant risk to the organization. The following chart highlights BEC attack scenarios and their effect on the organization.</p>
<p><iframe title=”” aria-label=”Table” id=”datawrapper-chart-wiplt” src=”https://datawrapper.dwcdn.net/wiplt/1/” scrolling=”no” frameborder=”0″ style=”width: 0; min-width: 100% !important; border: none;” height=”556″ data-external=”1″></iframe></p>
<p> <script type=”text/javascript”>window.addEventListener(“message”,function(a){if(void 0!==a.data[“datawrapper-height”]){var e=document.querySelectorAll(“iframe”);for(var t in a.data[“datawrapper-height”])for(var r,i=0;r=e[i];i++)if(r.contentWindow===a.source){var d=a.data[“datawrapper-height”][t]+”px”;r.style.height=d}}});</script> </p>
</section>
<section class=”section main-article-chapter” data-menu-title=”How BEC attacks operate”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″>
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: