BEC Scams & Social Engineering – What You & Your Staff Need To Know To Better Protect Yourselves from This Cybersecurity Scam

BEC Scams Social Engineering CyberSecurity

When your boss asks you to print a report, share a piece of information or help out with a task you aren’t likely to tell them no right?

More than likely you’d jump to it and get them what they need right away.

But what if you get an email asking you for sensitive information like a login to your HR software, your accounting software. What if your CFO or CEO sent you an email requesting a wire transfer?

Would you think to ask questions first? Would you verify their identity or check to make sure that this is a real request?

What are BEC scams?

A BEC Scam or Business Email Compromise is the term for when a cyber-criminal disguises themselves as an executive or owner of your company to trick you into doing something.

These BEC Scams trick innocent employees into doing things like:

  • Handing over confidential info (employee data, client data etc.)
  • Giving credentials for private accounts (financial, HR, proprietary info)
  • Transferring funds

BEC scams can be quite sophisticated so they are difficult to catch. Criminals will research a company and its employees to give their scam more credibility.

Often, cyber criminals will use a technique called Social Engineering to gather data and learn ways to trick employees.

What is Social Engineering?

Social engineering is a broad term. In a nutshell, social engineering is a technique a criminal or cybercriminal uses to manipulate an individual into handing over confidential information.

For the most part, social engineering scams start with a phishing scam or data breach.

A cybercriminal snags the login info for your email or your social media account. Once they have login credentials, the criminal can access your personal information and use it to their benefit.

Two common uses for your email or social media:

  1. Hijack your account and spam your network – hoping to infect a bigger group of people and impact damage
  2. Spy on you, pick up specific info they can use to impersonate you later as part of a more advanced scam

What do these scams look like in action?

BEC Scam Example #1 – How to lose 10K in minutes . . .

A hacker gains access to the owner’s email account. The hacker does some quick searching on LinkedIn and locates the HR Manager’s name. With the name, the hacker sends a quick email to the HR manager with an urgent request for a fund transfer of 10K before they miss a deadline.

The HR manager sees the request and quickly transfers the funds.

An hour later, the owner notices the wire transfer . . . asks the HR manager what it was for. HR manager doesn’t understand, the owner asked for the transfer didn’t they?

In reality, the hacker just stole 10 grand and made quick work of it.

BEC Scam Example #2 – How criminals steal your employee’s identities during tax season . . .

Tax season is huge for scammers and criminals. Social security numbers, personally identifiable information, banking info and much more is up for the taking and criminals are willing to do some work to steal this info from your business.

Criminals specifically target HR and Accounting departments during this time.

Hackers regularly spam HR managers and Accounting staff requesting copies of personal information including W-2 statements. They use these documents to steal identities, funds and more from businesses and employees alike.

A hacker might send an email to your HR manager that appears to come from the CEO requesting specific documentation. Again, few employees question a message from a leader/owner or boss at the company so they do what is asked without thinking twice.

Some other popular examples:

  • Criminals impersonating attorneys to scare you into handing over documentation
  • Sending fake invoices to your company (sometimes impersonating real vendors, other times just demanding payment)
  • Hacking employee email accounts to spread malware and key loggers to other employees (we are all more likely to click links and download files from people we believe are our co-workers)

How to protect against and prevent BEC Scams

One of the best ways to protect your business from these kinds of BEC scams is continuous employee education. It’s been said before but at the end of the day, your employees and you are the targets of these attacks so the more you know about them, the better you can protect yourself and your business.

Some quick tips:

  • Watch out for URGENT requests that put you on edge – any time you get an email with an immediate need that gives you pause . . . like a request for a big fund transfer, confidential data or proprietary data . . . double check with the source. Call your boss and make sure they actually do want the funds or the documents. Better safe than sorry.
  • Beware of downloads – If you don’t know the sender. Don’t download it. If you never requested the report. Don’t download it. If you question the source at all . . . double check before you download.
  • Make sure spam filters are properly configured – obviously you don’t want to miss valid emails but your IT team should have your spam filters configured properly. This will prevent a good amount of phishing attempts, malicious email and more from ever hitting your staff inboxes.
  • Don’t follow random links – links are tricky. In a digital world you need to access things online and sharing links makes that easy. If you are being asked to check financial or other private information, it is always best to go to the proper site on your own. For instance, if you get an email about the business Chase credit card account, don’t click a link to investigate. Instead, go directly to the Chase.com and handle the business needs that way.
  • Employee Training – this may be last on the list but training and keeping IT security at the front of your employee’s minds is vital. The goal is to inform your team and educate them so that they can properly defend themselves and your network.

Andromeda’s team can help your business defend itself against scams like these and others. If you’re interested in learning more about how Andromeda can secure your network or if you are interested in learning more about our employee IT security training, let us know. Call the office at (815) 836-0030 or reach us at Contact@WeNetwork.com.