Back
Cyber Security Training & Software for Companies | MetaCompliance

Products

Discover our suite of personalised Security Awareness Training solutions, designed to empower and educate your team against modern cyber threats. From policy management to phishing simulations, our platform equips your workforce with the knowledge and skills needed to safeguard your organisation.

Cyber Security eLearning

Cyber Security eLearning to Explore our Award-Winning eLearning Library, Tailored for Every Department

Security Awareness Automation

Schedule Your Annual Awareness Campaign In A Few Clicks

Phishing Simulation

Stop Phishing Attacks In Their Tracks With Award-Winning Phishing Software

Policy Management

Centralise Your Policies In One Place And Effortlessly Manage Policy Lifecycles

Privacy Management

Control, Monitor, and Manage Compliance with Ease

Incident Management

Take Control Of Internal Incidents And Remediate What Matters

Back
Industry

Industries

Explore the versatility of our solutions across diverse industries. From the dynamic tech sector to healthcare, delve into how our solutions are making waves across multiple sectors. 


Financial Services

Creating A First Line Of Defence For Financial Service Organisations

Governments

A Go-To Security Awareness Solution For Governments

Enterprises

A Security Awareness Training Solution For Large Enterprises

Remote Workers

Embed A Culture Of Security Awareness - Even At Home

Education Sector

Engaging Security Awareness Training For The Education Sector

Healthcare Workers

See Our Tailored Security Awareness For Healthcare Workers

Tech Industry

Transforming Security Awareness Training In The Tech Industry

NIS2 Compliance

Support Your Nis2 Compliance Requirements With Cyber Security Awareness Initiatives

Back
Resources

Resources

From posters and policies to ultimate guides and case studies, our free awareness assets can be used to help improve cyber security awareness within your organisation.

Cyber Security Awareness For Dummies

An Indispensable Resource For Creating A Culture Of Cyber Awareness

Dummies Guide To Cyber Security Elearning

The Ultimate Guide To Implementing Effective Cyber Security Elearning

Ultimate Guide To Phishing

Educate Employees About How To Detect And Prevent Phishing Attacks

Free Awareness Posters

Download These Complimentary Posters To Enhance Employee Vigilance

Anti Phishing Policy

Create A Security-Conscious Culture And Promote Awareness Of Cyber Security Threats

Case Studies

Hear How We’re Helping Our Customers Drive Positive Behaviour In Their Organisations

A-Z Cyber Security Terminology

A Glossary Of Must-Know Cyber Security Terms

Cyber Security Behavioural Maturity Model

Audit Your Awareness Training And Benchmark Your Organisation Against Best Practice

Free Stuff

Download Our Free Awareness Assets To Improve Cyber Security Awareness In Your Organisation

Back
MetaCompliance | Cyber Security Training & Software for Employees

About

With 18+ years of experience in the Cyber Security and Compliance market, MetaCompliance provides an innovative solution for staff information security awareness and incident management automation. The MetaCompliance platform was created to meet customer needs for a single, comprehensive solution to manage the people risks surrounding Cyber Security, Data Protection and Compliance.

Why Choose Us

Learn Why Metacompliance Is The Trusted Partner For Security Awareness Training

Employee Engagement Specialists

We Make It Easier To Engage Employees And Create a Culture of Cyber Awareness

Security Awareness Automation

Easily Automate Security Awareness Training, Phishing And Policies In Minutes

MetaBlog

Stay informed about cyber awareness training topics and mitigate risk in your organisation.

How Business Email Compromise (BEC) Works

How Business email compromise works

about the author

Share this post

Business Email Compromise (BEC) is one of the most complex of all social engineering-based scams, making vast sums of money for its perpetrators. While ransomware makes the news, BEC seems to be less of a headline maker. However, research from the FBI has found that BEC volumes are four times that of malware.

The Verizon Data Breach Investigations Report (DBIR) points out that the vast majority (86%) of cybercrime is financially motivated. In 2021, the FBI described BEC as “one of the most financially damaging online crimes.” Scammers, fraudsters, and cybercriminals, are all part of a nefarious community who use social engineering tactics and phishing emails to help carry out their cybercrimes. Understanding how a scam works can help to prevent your organisation from becoming a victim of this cyber attack. Here is how Business Email Compromise works and how you can stop BEC fraudsters from stealing your company’s money.

Analysis of a Typical BEC Attack

Business Email Compromise fraudsters target businesses of all sizes and across all sectors. A BEC scam uses social engineering to its utmost, manipulating the targeted employees in its wake, as the chain of destruction moves through an organisation. In 2020, the FBI’s cybercrime investigations unit, IC3, found that cybercriminals had exploited over $2 billion from U.S. businesses using BEC techniques. BEC is no less common in the UK, with over 500 SMEs targeted by BEC fraudsters during 2018. Business Email Compromise scams are lucrative. But they require a high level of commitment to gain access to the large sums of money that the fraudsters are looking for. BEC fraud can be thought of as an advanced email threat as it usually contains an element of email compromise and phishing at an early stage in the attack cycle. Here are the typical processes behind a Business Email Compromise scam: A BEC scam depends on tricking specific individuals within an organisation into making a wire transfer to move money to a fraudster’s account. There are several variants of the scam, but they all have a common element: finding a way to fool someone into believing that they are carrying out an important money transfer at the request of a C-level person and/or important client. The typical stages of a BEC scam are:

Stage One: Intelligence Gathering and Strategics

BEC crimes are serious money-making exercises that require the gathering of intelligence to perfect the crime. Surveillance usually involves collating general publicly available information on a company, who the C-level executives are, corporate structure, etc. During this stage, the cybercriminals will gain an understanding of the operations of the business and will attempt to work out how payments are made and to whom. A BEC scammer then uses this information to begin stage two of the attack.

Stage Two: Email Compromise or Email Spoof

Using the information gathered in stage one, the BEC fraudster will then turn to one of two tactics to continue the attack: Email account compromise is one possibility. Account takeover (ATO) requires the cybercriminal to steal the login credentials and password for a targeted email account. This can be done using spear-phishing; this is more complicated (but not impossible) if a second factor is used to protect an account. If the cybercriminal can hijack an account, they will focus on either a C-level executive or someone who controls payments. A hijacked account of a CXO is highly valuable and can be used to demand ‘urgent’ payments are made to the hacker’s bank accountimpersonating a ‘valuable client’. In the case of ‘accounts payable’ employee ATO, the fraudster will be able to watch the email traffic, looking for information on who is being paid, when they are paid, etc. Having this level of control over an organisation’s email also allows them to intercept invoices, changing the details to ensure that payments are made to the fraudster’s bank account. The second option is to spoof the email address of the target C-level executive. Spoofing an email is a common form of phishing and a recognised way to trick recipients into thinking it is from a particular person. An example of a spoof email address would be [email protected] or [email protected] – you get the idea…easy to impersonate, hard to spot, especially if you are a busy employee working in accounts payable.

Stage Three: Extracting the Money

Stage three is where the money is moved into the fraudster’s bank account. This can take several forms and will be part of the original strategy for execution defined in stages one and two. Typical ways that the execution of stage three happens are: CEO fraud: using a spoofed or hacked C-level account, the fraudster sends an email marked as ‘urgent’ explaining that unless £££££’s is sent by a certain time a key client account will be lost. Invoice fraud: If an email account is hacked, the fraudster will watch out for invoices coming into the business, intercept them, and then change the payment details on the invoice.

How Can you Reduce the Risk of BEC?

BEC fraud is executed starting with intelligence gathering on the target and propagated using an advanced email attack. The latter typically depends upon a successful spear-phishing campaign. No one is exempt from a BEC attack: in 2018, the charity, Save the Children, lost £800,000 to a BEC scammer. The attacker hijacked an employee’s email account and used the account to send out spoof invoices. There are several ways to protect your organisation against a BEC attack, each being a component of a layered approach to reducing the risk of BEC campaigns:

Train Employees About How BEC Attacks Work

Business Email Compromise is an email-dependent attack that requires vigilance to detect and prevent. Use Security Awareness Training and phishing simulation exercises to ensure that all employees understand the tricks and tactics used to phish people. Create BEC-specific training programs that target your C-level executives and employees, such as those in accounts who deal with payments. If your payments are handled by a third party or suppliers, make sure your training includes them too.

Use Two-Factor Authentication

Email account takeover is one option available for BEC fraudsters. Ensure that your corporate email accounts are configured to require access via a second factor, e.g., users must use a mobile device-based one-time code, as well as a password to access their email account.

Secure Your Corporate Domain

BEC fraudsters often register domain names that are like their target victim’s domain, e.g., www.micr0soft.com or www.amason.com. Fraudsters can then send emails that look like they have been sent by a legitimate email account. To help prevent this, register domains that are like your official corporate domain.

Set Up Mechanisms to Double-Check Payments

Create a process whereby employees must double-check with another staff member before making a money transfer or when sharing confidential or personal information.

Be Aware of Changes or Updates

Create a culture of security by ensuring that all staff are vigilant about any changes in internal staff or vendor behaviour. This cultural approach to security will keep staff alert to scams and allow them to spot unusual behaviour before it becomes an incident.

Business Email Compromise is a lucrative and successful crime. This success means that it is unlikely to decrease in volume in the next few years. The only way to deal with it is to remain vigilant and to educate your employees, including C-level executives, on how BEC works.

Security Awareness Training for Third-Party Vendor

Other Articles on Cyber Security Awareness Training You Might Find Interesting

duckduckgo vs google EN

DuckDuckGo vs Google – 5 reasons why you should give up using Google!

You were not aware that DuckDuckGo is a search engine? Well, now you know. Since its founding in 2008, DuckDuckGo has made it its mission to develop a search engine that does not store or share personal data, quite unlike Google. Google’s business model is based less on data protection and more on personalised advertising. Without the storage of personal data, Google would virtually lose the air it breathes. However, Google is still the most used search engine, and there are reasons for that. Google does have one weakness, however, and that is data protection.
Read More »
dataprotection vs informationsecurity EN

Information Security vs Data Protection

Is this an issue for our ISO or our DPO, or is it much the same in either case? Who exactly is responsible for this incident, and is there a need to report it at all? In order to discuss the similarities and differences between information security and data protection, the first step is to define the two areas.
Read More »