Just like in every industry, the goal of internet scammers is to make as much money is possible with as little effort as possible. While tradiitonal random phishing attacks still happen often, there’s a new type of highly effective phishing scam called BEC (business email compromise) or the CEO fraud. This is a sophisticated, targeted attack that has a very high success rate and it only needs to be successful one or a few times to pay off.
How does the CEO fraud work?
BEC attacks are quite simple: first, hackers use social engineering to find out the names of the CEO or CFO of the targeted companies and their email addresses. Next, they create an email address that looks very similar to the email address of the CEO and pick their target in the company. This is often someone in the finance department who is in carge of company funds, a company attorney or a senior employee in the company. Then hackers will write an email to the employee while impresonating the CEO. This email typically asks the employee to transfer funds or provide sensitive company information. If the employee falls into the trap – the scam has been successful.
What makes BEC frauds so successful?
There are a few tricks scammers use to make their emails appear more legitimate. As metioned previously, they often choose an email address that’s similar to the real address of the person they’re impersonating. They also often state that this is an urgent matter and the money needs to be transfered ASAP, at the same time, the SEO or whoever the email is coming from can’t be disturbed because they are in a meeting, preventing the email recepient from trying to verify the email.
Another highly effective trick scammers use is adding something like “Sent from my iPad” or “Sent from my iPhone” at the bottom of the email to make them appear more legitimate. First, it enforces the idea that the person is in a meeting and not at their desk. Secondly, it take away the need to recreate the legitimate email signature of the person, which can be a bit challenging. Plus, sending an email from a mobile device excuses poor spelling and grammar.
How to avoid BEC scams?
The best way to prevent BEC scams from causing damage to your company is to train your employees to recognize phishing emails and respond to them appropriately. Hackcontrol provides comprehensive employee training and tests your staff using simmulated phishing attacks.