BEC, or Business Email Compromise, is a contemporary twist on a staple scam.

Often in the shadow of the more extravagant, media-friendly super-hacks or ransomware compromises, Business Email Compromise is leading the line on both the number of attack victims AND the direct losses encountered by businesses.

DevOps Connect:DevSecOps @ RSAC 2022

Although not as en vogue as other ‘nouveau’ cybersecurity threats, if you are simply looking at direct business costs, BEC leaves almost every other cyberattack in the dust. And there are a couple of reasons why. Unlike viruses, Trojans, and worms, there isn’t an abundance of software, firewalls, or preventative measures that can protect you. The scammers are leveraging social engineering tactics as opposed to technical exploits. The scam itself is the oldest trick in the book, a simple act of deception, and it is usually only uncovered once the attacker is off with your hard-earned money.

There are typically three varieties of this scam, as outlined previously in this well-crafted Tripwire article. The basic premise is that the attacker is pretending to be someone he or she is not (usually an executive at a company) and is pressuring lower-level employees to hand over sensitive information or money under “time sensitivity” duress. The attack usually comes in the form of a bogus invoice, a compromised account from an actual employee, or a spoofed email address, which can look exceptionally like the real parties.

I imagine all of this seems very low-brow and benign after all the sophistication and technical nuance of many of cyber-attacks we saw throughout 2017. However, the numbers are real, and the marks are extremely lofty. Facebook and Google lost an eye-watering $100 million dollars each. Luckily for the big boys, they have the power to get back every dime – you probably won’t be so lucky, by contrast.

FBI (Read more...)