Blog Cyber Security Ransomware

Learn from Other Companies’ Disasters

Published by on September 30, 2022
No featured Image

Explore How BEC Took a Bite Out of These Companies

BEC is a slippery foe because it can take so many forms, making it hard to spot a BEC scheme until it’s too late. But security awareness training can ensure that employees are alert to the general basic types of BEC scams.

Urgent payment required or invoice scams  

The most common variety of BEC attack is the invoice or urgent payment required scam. In this scenario, bad actors pose as representatives of a company or government agency and tell the victim that an invoice must be paid immediately to avoid a negative consequence

 

 

Examples  

  • The FBI received many reports of COVID-19-related BEC invoice fraud targeting large healthcare organizations. Victims received messages claiming that a fake invoice must be paid immediately for the organization to get a shipment of much-needed medical supplies or vaccines. Victims were instructed to pay by wire transfer. Of course, no supplies ever reached those unfortunate healthcare providers.  
  • Both Facebook and Google fell victim to invoice scams perpetrated by the same cybercriminals that resulted in around $121 million in collective losses. Lithuanian national Evaldas Rimasauskas and associates formed a fake company that used the name of a real hardware supplier, “Quanta Computer.” The group then presented Facebook and Google with fraudulent invoices, which they promptly paid — straight into bank accounts controlled by the bad guys. 

Executive impersonation scams  

Bad actors may pose as an executive at the victim’s company or another organization to entice the victim into downloading a malicious document, sending them money or providing them with sensitive information

Examples   

  • At toy manufacturer Mattel, cybercriminals posing as executives of a Chinese company duped an executive into approving a $3 million offshore payment to their fake firm in China. The executive soon found out that the Chinese firm didn’t exist, and that they had transferred that money to cybercriminals.  
  • Pathé, a French cinema company, experienced a BEC attack in which cybercriminals impersonated the company’s CEO. Bad actors misrepresented themselves to the executives in the company’s Dutch division using an email address similar to the company’s legitimate domain pathe.com. The fraudsters convinced executives to transfer funds to a “new” (fraudulent) bank account to pay for the supposed takeover of a company in Dubai, ending in a loss of $21 million.  

Misrepresentation scams 

 In a misrepresentation scenario, bad actors target employees in certain departments with the intent to trick them into providing sensitive information or payments.

 

Example 

  • The charity Save the Children lost $1 million to BEC. In that scam, the attacker managed to gain access to an employee’s email account, and then used it to send fake invoices and other documents to the charity’s accounting department claiming that the money was needed to pay for non-existent solar panels for a clinic in Pakistan. The accounting department didn’t suspect anything because the invoices came from a trusted address. 

Gift card scam  

Urgency is a hallmark of BEC gift card scams. Bad actors scare their victims, for example, by telling them that their company’s electricity will be cut off for non-payment unless they pay their bill by gift card immediately. 

 

Examples  

  • The target receives an email purporting to be from a government agency, often the U.S. Internal Revenue Service or the Social Security Administration.  
  • They claim that the victim or the victim’s company must pay taxes or a fine and will face dire consequences if it isn’t paid immediately.  
  • A cybercriminal sends a message pretending to be from Apple or Microsoft tech support, saying there’s something wrong with the company’s systems or services and the victim must pay to have it fixed.  

Credential or information fraud  

A credential compromise BEC scam starts with bad actors asking the victim to provide credentials on the pretense that they’ve misplaced credentials they’d already been given or weren’t given the right ones to complete a task. 

 

Example

  • Twitter fell victim to a BEC attack. In this incident, bad actors pretending to be repair contractors contacted Twitter employees. They convinced a Twitter employee that there had been a mix-up and they hadn’t received the right credentials to access a system that required repairs. After obtaining access credentials from the gullible employee, cybercriminals were able to take over accounts belonging to celebrities, including Donald Trump and Elon Musk, and use them for nefarious purposes.

 

Reduce the chance of a BEC scam doing major damage and mitigate other cyberattack risks affordably with two battle-tested security solutions that you can rely on.   Contact us today or book a discovery session!

Leave a Reply

Your email address will not be published. Required fields are marked *