Are you concerned about cybersecurity? You should be. The number of online scams is growing. Find out about BEC/EAC scams and how to protect yourself!
In an urgent public service announcement, the US government cautioned businesses and individuals to be aware of insidious online email scams. This warning addresses both BEC scams, focusing on company emails, and EAC scams which are similar in scope, but attack the email accounts of individuals. While both have been around for several years, there has been a severe uptick in related losses. Between May 2018 and July 2019, the number of global cases doubled. As of July of this year, reports show there were a total of 69,384 US-based victims accounting for over $10 billion in losses.
Atlanta IT support company, 360 Smart Networks shares insights into how these scams work.
How Does the BEC/EAC Scam Work?
BEC/EAC cyber attacks begin when a scammer finds a way to compromise the victim's email account. This occurs most often through social engineering. Once the cybercriminal gains control of a legitimate account, the first part of the scam is complete. From that point on, the scammer is able to intercept all communication to and from the email address as well as to utilize the email account to send emails to others. In the case of BEC, the cybercriminal will often use the hijacked email account to target employees of the company in an attempt to harvest Personally Identifiable Information (PII) or Wage and Tax Statements (W-2) by posing as the company's HR department.
Not all scammers are content with simply gathering confidential data from businesses. Companies that routinely pay overseas suppliers through online money transfers may find themselves receiving additional bank transfers. These requests appear to originate from the supplier, but in truth, they are generated by the cybercriminals who direct these payments to their own bank accounts. Alternatively, a cybercriminal who controls a business email account may order through a trusted vendor of the company, and request shipment to a different location.
However, companies that do not directly work with overseas suppliers are not immune from BEC scams. A different method of conning businesses is for the scammer to create an email from the business account he controls requesting funding from an employee at a company. The recipient of the letter will then transfer the funds to an account controlled by the cybercriminal
Individuals who fall victim to this scam may encounter requests for money transfers concerning investments, travel, or overseas purchases. A popular ploy is for scammers to represent themselves as attorneys or their staff, and to contact individuals who are currently involved in legitimate legal matters, and request additional funds to cover legal expenses.
What Can You Do to Protect Your Business and Yourself?
The problem is that these scams all seem legit at first, and it can be tough to identify them as a fraud. But you don't have to be the next victim. These tips can help:
Never use a free email server for business. Invest in a paid email server which typically has better security to protect you, and will be more responsive if you discover a breach.
Be wary of any transfer request emphasizing a quick response. Many scammers ask for a swift turnaround to prevent you from investigating if it is an authentic request.
Always confirm any request using a secondary method of communication. Pick up the phone and calling the person who made the request is perhaps the quickest and most foolproof way to avoid transfer money to a scammer.
Don't reply to emails and avoid links. Instead of hitting the 'reply' button, click on the 'forward' one. Then you can type the recipient's correct email address. This will protect you from email spoofs.
Watch what you include in your social media and business website. Exposing too much information such as the name of your immediate boss or the email address of the company's vendor managers can provide cybercriminals with just enough real information to convince you their requests are authentic.
Be sure to protect yourself as best you can, but if you believe someone is trying to scam you, don't keep it to yourself. Contact the cybersecurity team at your company immediately. You can also file a BEC complaint online.