Business Email Compromise (BEC) Part 3 of 5: Account Compromise

by | May 10, 2019 | Cyber Fraud

We continue our look at the five kinds of Business Email Compromise (BEC) attacks that impact business. According to the 2018 Internet Crime Report produced by the FBI, the BEC attack is the most successful avenue used to gain access to business networks. How it works is pretty simple. Business Email Compromise is the art of constructing emails that misrepresent who they are from and what they are about. Techniques to do this do not always hinge on tech savvy, either. They hinge on what is called social engineering. Con artists/fraudsters, in the information security world, are called social engineers. They literally engineer a method for scamming businesses, often by using email. Today we look at the method known as the Account Compromise.

Account Compromise

Typical Target: An executive, a purchaser, or any employee able to request invoice payments.

Method of Manipulation: As we covered in Data Theft Scam, collecting personal and account information can yield treasures that a scammer can take to new social engineering efforts. Equipped with an email address and business account credentials, an employee’s account can be hacked.

The step-by-step of this method might go something like this:

  1. Employee’s/executive’s email account gets hacked.
    This usually happens by getting sufficient information from a Data Theft Scam.
  2. Once in the email account, contacts are mined for the vendors listed there.
  3. The social engineer (fraudster), posing as the employee/executive, requests invoice payments from the vendors.
    Payment is to be made (of course) to fraudulent bank accounts.

Objective: Once an account is breached, the social engineer might follow these three steps, stealing money via payments on fake invoices (the reverse of this fraud is covered next, known as The Bogus Invoice). However, the objective may also be to steal proprietary trade secrets. Or possibly they want to infect the network with a ransomware. The possibilities for theft and destruction of data are practically endless if a bad actor gains access to the network.

Educating Employees to Spot Fraud

Social engineers, in the context of information security, work to gain the confidence of people who have access to the business network they are after. Whatever is their ultimate goal, their objective is to get employees to give up confidential information. If a company fails to equip its employees with the training they need to identify fraudsters, and if the company fails to establish policies and best practices that will block fraud attempts, it is a company at a very high risk of data breach and theft. A social engineer would look at that company like a raccoon looks at low hanging fruit on a tree. Easy pickins.

Email Protection Solutions are Available

Along with employee training and policies that prevent account compromise, equipping the company with effective email security software is also imperative. We suggest an Email Security Solution be part of a business’ security posture. The technology exists to block fraudulent emails. Because email fraud is the most prolific attack vector for cyber criminals, we highly recommend getting all the email protection possible.

Hybrid VDI - Total Economic Impact of VMWare End User Computing