Scammers often use EAC to phish the credentials of higher-level accounts they can use for CEO fraud. They may use it to send fake invoices to other companies or trick other employees into sharing confidential information. Scammers take over a non-executive employee’s email account. As a result of the scam, the company’s board fired both the CFO and the CEO for “violating” their duties. In 2016, a scammer posing as CEO of the aerospace manufacturer FACC used a fake acquisition to trick an employee into transferring USD 47 million (link resides outside ibm.com). Scammers pretend to be an executive, usually a CEO, and ask an employee to wire money somewhere, often under the guise of closing a deal, paying an overdue invoice, or even purchasing gift cards for fellow employees.ĬEO fraud schemes frequently create a sense of urgency, so the target to act quickly and rashly, (e.g., This invoice is overdue, and we’re going to lose service if we don’t pay it immediately) or secrecy, so the target won’t consult coworkers (e.g., This deal is confidential, so don’t tell anyone about it). While the scammer was caught and both companies recovered most of their money, this outcome is rare for BEC scams. From 2013 through 2015 scammer posed as Quanta Computer, a real hardware manufacturer both companies work with, and stole USD 98 million from Facebook and USD 23 million from Google. One of the biggest fake invoice scams was carried out against Facebook and Google. Notably, courts have ruled (link resides outside ibm.com) that companies that fall for fake invoices are still on the hook for their real counterparts. To make these attacks convincing, the attacker may intercept actual vendor invoices, and modify them to direct payments to their own bank accounts. The BEC attacker pretends to be a vendor the company works with, and sends the target employee an email with a fake invoice attached when the company pays the invoice, the money goes straight to the attacker. According to the FBI Internet Crime Complaint Center’s Internet Crime Report (PDF, link resides outside ibm.com) BEC scams cost US victims a total of USD 2.7 billion in 2022.Ĭybersecurity experts and the FBI identify six main types of BEC attacks. According to the IBM Cost of a Data Breach 2022 report, BEC scams are the second most expensive type of breach, costing an average of USD 4.89 million. In some cases, scammers actually hack into and hijack the sender’s email account, making the attack emails even more believable, if not virtually indistinguishable from legitimate email messages.īusiness email compromise attacks are some of the costliest cyberattacks.
They use social engineering techniques, such as email address spoofing and pretexting, to craft attack emails that look and read as if they were sent by the impersonated sender. To make their emails appear legitimate, BEC attackers carefully research the employees they target and the identities they impersonate.
In rarer cases, BEC scammers may try to spread ransomware or malware by asking victims to open an attachment or click a malicious link. The emails are written to trick the employees into paying fraudulent invoices, making wire transfers to bogus bank accounts, or divulging sensitive information such as customer data, intellectual property or corporate financials. In a BEC attack, a cybercriminal (or cybercriminal gang) sends employees of the target organization emails that appear to be from a fellow employee, or from a vendor, partner, customer or other associate.
0 kommentar(er)
