Worse, the cyber criminals engaging in these types of attacks don’t limit themselves to Fortune 500 companies. They’re just as likely to target small to medium sized businesses as they are to target major international firms.
Typically, a BEC attack works something like this:
A fraudster will pose as either a high-ranking company official or a trusted business partner and begin email communication with a mid-level employee at your firm. Over the course of that conversation, a request will be made to the employee to transfer funds to what the employee believes to be an account belonging to a longstanding business partner.
Thinking that they’re doing the bidding of their CEO or of a trusted business partner, these transfers are often made without a second thought. Of course, by the time it is discovered that the person the employee was communicating with was a fraud, the money is long gone and virtually impossible to recover. A BEC attack can take other forms too, however.
In fact, according to the FBI’s Internet Crime Complaint Center:
“One variation involves compromising legitimate business email accounts and requesting employees’ Personally Identifiable Information or Wage and Tax Statement (W-2) forms. Payroll diversion schemes that include an intrusion event have been reported to the IC3 for several years. Only recently, however, have these schemes been directly connected to BEC actors through IC3 complaints.”
The bottom line is that this type of issue is getting worse and increasingly common. Be sure your employees are aware and mindful of who they’re releasing funds to.