Minimize your digital risk by detecting data loss, securing your online brand, and reducing your attack surface.
A powerful, easy-to-use search engine that combines structured technical data with content from the open, deep, and dark web.
Digital Risk Protection
Read our new practical guide to reducing digital risk.
New report recognizes Digital Shadows for strongest current offering, strategy, and market presence of 14 vendors profiled
Read Full Report
Business email compromises (BEC) are on the rise. When I was at Forrester Research, I typically didn’t go more than one month without consulting with organizations that had fallen prey to the attack. In an August 2015 alert, the FBI defined the BEC as “a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.”
The FBI’s alert revealed that from just October 2013 – August 2015, international law enforcement agencies reported BEC losses in excess of a staggering $1.2 billion. See figure 1.
In late May, the seventeen year CEO of Austrian aircraft parts manufacturer FACC, was fired after a BEC attack resulted in the loss of ~€50 million. His termination followed the CFO’s exit, which occurred in February. The attack was first revealed in FACC’s Interim Report Q3 2015/2016. See figure 2.
In FACC’s recently released annual report, interim CEO Robert Machtlinger wrote “in January 2016, the ‘Fake President Incident’ affair became public, to which FACC fell victim over Christmas and suddenly the world looked different for us.” FACC’s BEC was significant; the company’s 2015 profits were erased as a result of the fraud.
The specifics of FACC’s BEC incident aren’t public, so I won’t speculate as to how the social engineering efforts occurred. We do know that in other BECs travel has been involved. The FBI provided the following example where an accountant received an email from her CEO, who was on vacation, out of the country requesting a transfer of funds. See figure 3.
There are many questions to ask when it comes to preventing, detecting and responded to BECs. One that stands out in my mind is how vulnerable are your executives? How likely will they be targeted? What public information is available that could be used to fuel a social engineering attack against your company?
A combination of people, process and technology is required to mitigate the BEC. I suggest you consider the following actions: