Seven years after the FBI coined the term “business email compromise,” or BEC, the list of victims—and the tally of multimillion-dollar losses—continues to grow. BEC has resulted in more than $26 billion in potential losses since 2013.

And the rise in BEC schemes reveal another growing trend: attackers are increasingly shifting their gaze from infrastructure-focused attacks to attacks that target people directly.

BEC starts with an email in which the perpetrator poses as someone the victim trusts. The message makes a seemingly legitimate business request, usually sensitive information or a wire transfer. BEC is hard to recognize because, to the target, the requests seem so routine.

THREE COMMON BEC TACTICS

Here are the most common techniques used in BEC attacks. Cyber criminals often use multiple techniques in tandem.

1)Display-name spoofing

This scheme uses the name of the spoofed executive in the “From” field. But the email address actually comes from an outside service such as Gmail that belongs to the attacker. Proofpoint has found that this method is used in more than 90% of attacks.

Look closely if you receive such an email. The CEO’s name may be in the body of the email, but the sender’s email address may not be the corporate email address you would expect the CEO to use. Continue>