Phishing for Cash: Business Email Compromise Explained

They may seem like ordinary phishing attacks at first, but BEC attacks have very specific targets and a very specific goal: money.

Cybercriminals are well aware that unlike a compromised personal email, a compromised business email can be a gateway into the private internal network of an organization, and organizations tend to have a lot more money to spend and payments to make than the average individual.

What is BEC?

A business email compromise attack, or BEC attack for short, begins when an attacker hijacks the email account of an employee within a company, most commonly via a phishing.

Targeted employees will often either be C-Suite executives who are authorized to do wire transfers, or high-level employees with access to the company’s financial operations.

Once the attacker has taken control of their email account, they will then impersonate them, proceed to contact other employees within the company, and attempt to trick them into paying a fake invoice or transferring funds to a bank account they control.

But how much is at stake here? According to a recent report, the average sum that a BEC group will try to steal from a targeted company is now around $80,000 per attack. One group calling itself Cosmic Lynx has even raised the bar to an outrageous $1.27 million per attack.

MSPs are targets too

It should not come as a surprise that MSPs are also popular targets for BEC attacks.

Earlier this year, the US Secret Service sent out a security alert to the private sector and government organizations, warning about an increase in hacks of managed service providers, and specifically citing BEC as one of the attacks being carried out by cybercriminals leveraging compromised MSPs .

Obviously, the fake invoice trick can work just as well on an MSP as it could on any other type of company, but what MSPs have that not many other companies do is access to a large number of clients, who are themselves businesses that can then be targeted with BEC attacks as well.

What can be done?

Since BEC attacks can impact both an MSP and its clients, it's important that MSPs not only take measures to protect themselves and their employees, but also extend that protection to their clients.

Beyond raising awareness around phishing and the risks of clicking links and downloading attachments from suspicious-looking emails, ensuring that everyone's using strong passwords and two-factor authentication to protect their emails would definitely be an effective course of action.

Fortunately, MYKI for MSPs allows both MSPs and their clients to generate strong and unique passwords for all online accounts, set up and manage two-factor authentication for them, store everything securely offline, and much more.

Sign up for MYKI for MSPs today and start taking control of your digital identity.


Phishing for Cash: Business Email Compromise Explained
Share this