This is the second in a series of articles I'm taking you through the different types of online scams out there these days. You can read Part 1 on Online Survey Scams if you've missed it.
One of the most common cybersecurity threats to businesses is the business email compromise (BEC) scam. The attack's goal is to fool the victim into believing that they are sending or receiving an email from a person in their company (a colleague) and then get them to send over sensitive information.
The scammer usually sends an email asking for information on behalf of another person, which often includes confidential data like wire transfer instructions, payroll information, or other personally identifiable information with some sense of urgency. This request will then prompt the receiver into taking immediate action without even realizing it.
What do BEC scams look like?
BEC scams (Business Email Compromise) are typically sent via email, and they often ask for money transfers or personal information. These requests might appear to come from a company executive, a reputable vendor, or an individual that the recipient knows. The scammer will make their request seem urgent and legitimate by sending an email worded in a formal tone and includes the person's name, who is supposedly the person of authority.
Some examples of such mails include:
- CEO Fraud: The finance team in a company receives an email seemingly from their CEO asking them to transfer an amount to an account in the next hour, required for some urgent payments.
- Fake Invoice Scam: The purchase manager at a company receiving an email from a supposedly trusted supplier asking her to make an invoice payment to a new account.
- Data Theft: The HR or a business unit head receives an email from a person of authority in the company asking for personal or sensitive information about individuals within the company
- System Compromise: Often, mails from fake vendors or employees come with attachments infected with malware or trojans, which, when opened, infect the system and steal information in preparation for larger attacks.
Spotting and identifying these attacks
These kinds of scams and attacks are hard to sport. A typical BEC scam might use a couple of tricks, like domain spoofing and lookalike domains. So look carefully at the email address first, looking carefully at the domain part.
Check and see if the domain from which the email is sent is actually your company's domain.
I had one instance in the past where someone impersonating my colleague sent me an email from a lookalike domain with a typo in the name. So instead of companyname.com, the email originated from compnyname.com. Notice the missing 'a'? Anyone would have missed that without a second glance. That and the fact that this colleague asking for the information was seated right next to me mitigated any further action on my part.
Long Emails Hiding The Destination
Some scammers might even send emails from longer domains intended to fool the user since most long domains are truncated when viewing emails on mobiles.
One notable example I received recently was from firstname.lastname@example.org. If I glanced at this casually on a mobile email app, I would have missed out on the fact that this came from a gmail address.
Actual Email ID but Spoofed Reply-To
The sneaky part of this attack involved a field called the reply-to field in emails. The reply-to email instructs your email app to send replies, not to the sender's email address but an alternate one. A more advanced version would have the attacker send the email with the correct email address in the email envelope, so this looks like the real deal!
So when you hit reply, check the email address, which shows up in the to: box in your email compose window. Confirm if this is the same email as your intended recipient.
To prevent being a victim of such attacks, always take time to double-check everything.
- Don't be hasty, no matter how urgent the attacker wants you to act. Take you time to verify the sender's request before you send out money or sensitive information. Call them to confirm if you can; this will save a lot of heartburn later.
- Safely handling unknown attachments. Never open attachments from unknown senders. This is a sure way to get your system infected and compromised. Make sure your antivirus system is also up to date on your laptop or desktop.
- Don't ever click those links! Like attachments in emails, don't click on links from unknown senders, no matter how enticing those look. 91% of cyberattacks start with people clicking through to a rouge site. If those links lead to login pages, never put in your credentials there. It could be a fake site set up to steal your login credentials. Always type the login URL to the service you want to log into before typing in your username and password.
What to do if you are a victim?
If you fall into one of these scams, don't hide the fact and alert the right people who can take action. Please take a few minutes to jot down the points of what happened while it's fresh in your mind. Some of the details can get fuzzy later, so this will help you refresh your memory when required.
Change your credentials
Suppose you did click on a link and put in your credentials on a phishing site created by the attacker. Change the credentials to your actual account immediately!
Inform your Company
In case this is a company matter, immediately inform the authorities and the IT team. The IT team can help access the damage and inform others to prevent others from falling into this.
Inform your Bank
If you inadvertently make a financial transaction like a bank transfer to the attacker's account, inform the bank immediately. Give them all the details about what happened. They may be able to help track things down.
Inform the Authorities
If sensitive information like personal details have leaked or you suffered from a financial loss, your company should report this to the police and the Cyber Crime authorities, who may help track down the offenders.