How Organizations Can Defend Themselves Against BEC Scams During The Holiday Season
Quick Answer
BEC volume rises during the holidays because email traffic spikes (greetings, promotions, charity appeals) and shoppers lower their guard. The FBI's IC3 estimated $26 billion in BEC losses globally between June 2016 and July 2019, roughly $702 million per month. Common holiday lures include gift card requests impersonating a director, shipping notices imitating FedEx, Amazon, or UPS, fake purchase verifications from credit card brands, and fraudulent charity solicitations. Non-retail organizations are still exposed because employees shop on corporate networks. Defenses combine awareness training to spot urgency and impersonation, organization-wide policies on what employees share online, MFA on email accounts, manual verification of wire transfers and data requests, premium email services with stronger filtering, and registration of lookalike domains across .org and .net. SPF, DKIM, and DMARC on the primary domain block spoofed mail before it reaches inboxes.
Cybercriminals have historically been more active during the holiday season. There are several reasons for this. Holidays are when both organizations and users receive a large number of emails regarding seasons greetings, promotions, discounts, and charity. People also tend to let down their guards during holidays and increase their shopping activities.
Adversaries take advantage of such a situation, and attacks like spoofing, phishing, and Business Email Compromise (BEC) increase accordingly. IC3 estimated a loss of $26 billion to BEC scams between June 2016 and July 2019, which amounts to roughly $702 million per month, which shows the extent of loss these BEC scams can cause. This is why it is crucial to know what these BEC scams are, how they operate, and how you can keep the confidentiality, integrity, and availability (CIA) intact for your organization’s information assets against these scams.
What Is A BEC Scam?
Business Email Compromise Scam, also known as Email Account Compromise, or Man-in-the-email scam, is a financially damaging online crime. It exploits one of the most vulnerable areas of business, email correspondence. In a BEC, cybercriminals send an innocuous-looking email message appearing to originate from a trustworthy seeming source, like a regular client, CEO of the company, and so on.
Common Holiday BEC Scams To Look Out For
There are several common holiday BEC scams that organizations need to counter. Some of the most common ones are given below:
Gift Cards Scams
Emails offering free gift cards are commonplace during the holiday season. These are often phishing scams that seek confidential information. Adversaries may also impersonate a director by spoofing their emails and request employees to buy “gift cards” for business purposes.
Shipping Scams
Shipping scams are another kind of BEC scam where adversaries impersonate organizations like FedEx, Amazon, and UPS. Criminals may send emails with malicious URLs and attachments with the pretext of updating delivery information, tracking packages, or downloading shipping labels. Clicking on such emails can result in malware infections or, even worse, data breaches.
Purchase Verifications
Cybercriminals can send emails that seem to come from credit card organizations or retailers that request users to validate “suspicious purchases.” These emails often lead victims to fake login pages used to steal banking and login credentials.
Fake Charities
Adversaries take advantage of the spirit of giving during the holiday season by making fake charities that request donations.
Along with these holiday-specific BEC scams, organizations also have to face other threats. These include emails where adversaries impersonate regular clients and send an invoice with an updated mailing address. They can even pretend to be supply chain customers and send emails with revised instructions to wire payment.
Are Holiday Scams a Problem For All Organizations?
Some organizations may feel that holiday scams do not concern them as they are not in the retail sector. They are mistaken. All organizations are at risk during the holiday season as their employees often shop and fall victim to retail scams on corporate computers and networks, thus compromising them.
Malware, ransomware, and key-loggers are often found in malicious attachments sent during the holiday season and can compromise organizational networks. For example, a malware infection allows adversaries to infiltrate business networks and access legitimate email information regarding invoices, payment information, and billing. Using this information, threat actors send targeted spear-phishing emails to finance departments and employees to build trust, ensuring employees do not question payment and other requests. Passwords can also get compromised, and if organizations do not have good password policies, it can lead to severe consequences.
How Can Organizations Protect Themselves From BEC Scams?
Business email compromise attacks often involve malware, and thus organizations should get technological controls such as antivirus programs, spam filters, and email whitelisting techniques. However, social engineering can bypass technical controls, and therefore organizations must use internal prevention techniques, and employees must be educated about the different scams to prevent them.
The following precautions can help organizations protect themselves from BEC scams:
- Awareness Training: Most BEC scams can only succeed if employees fail to take proper precautions or recognize phishing emails. Awareness is thus the best way to protect organizations from such attacks. Employee cybersecurity training programs can train employees to identify and report threats.
- Organization-Wide Policies: Organizations should have policies regarding information employees share online. Employees should exercise care when sharing information on social media and public-facing systems like websites.
- Enabling Multi-Factor Authentication: Multi-factor authentication needs several steps to perform actions such as logging into the organization’s network. Implementing passwords, biometrics, codes, and dynamic pins prevent unauthorized access to employee emails and make it harder for cybercriminals to launch BEC attacks.
- Double Checking Emails For Suspicious Details: Scrutinizing email address names and checking for spelling mistakes or grammatical errors can help prevent BEC scams to some extent.
- Verify Before Sending Information or Data: Organizations should make it a standard operating procedure that employees seek confirmation regarding wire transfers or requests for information from higher management before authorizing them.
- Use Premium Email Services: Organizations should register their domain names and get premium email services, which offer better security and features than free and open-source ones.
- Secure Organization Domains: Organizations should register domains similar to their own, including .org and .net TLDs so that adversaries cannot spoof their domains easily. Also, SPF, DKIM, and DMARC protocols must be set for their original domain.
Business Email Compromise attacks are predicted to peak during the holiday season as criminals take advantage of the rise in email volumes and the festive season. The best way organizations can handle such scams is to be vigilant, employ technical defenses, and train their employees to recognize these scams.
General Manager
General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.
Secure your email infrastructure
Protect, authenticate, and deliver. Contact our team to find the right solution.