BEC - Business Email Compromise & Spoofing
Business Email Compromise (BEC)
Phishing that involves a business email compromise exploits the fact that so many people use and rely on email to conduct business both personally and professionally. It is a sophisticated kind of phishing attack that involves the "attacker" using spear phishing to gain access to high level executive and CEO accounts, which they then can use to request fraudulent invoices from employees etc.
In a BEC scam, scammer sends an email message that appears to come from a known source making a legitimate request. Examples would be:
- A "vendor" emails you and sends an invoice with an updated mailing address.
- Your "Boss" emails and asks you to purchase dozens of gift cards for them, because they are tied up in a meeting and cannot use the phone.
How do you protect yourself?
- Be careful with what information you share online or on social media. Such as family members names, birthdays, pet names schools attended etc...
- Don't click on anything in an unsolicited email or text message asking you to update or verify account information.
- CAREFULLY EXAMINE your email addresses, URL, and spelling used in any correspondence you receive.
- Be super wary if the requestor is pressing you to make urgent decisions quickly.
- Verify verify verify purchase requests or payments by calling the person or company directly to make sure it is legitimate.
Spoofing
Email Spoofing is the creation of email messages with a forged sender address. In other words, the scammer/phisher disguises an email address, sender name, phone number or website URL to convince you that you are interacting with a trusted source.
STOP and look at the email address closely before you reply; if it's suspect, report it. Spoofing attacks use email addresses, sender names, phone numbers, or website URLs that are disguised as a trusted source. Cybercriminals want you to believe these spoofed communications are real to lead you to download malicious software, send money, gift cards or disclose personal, financial, or other sensitive information.
You can learn more about how cybercriminals use spoofing in their scams here.
