BEC: sometimes it’s better not to trust, even if the CEO asks us to do so

Security Awareness
23 April 2022

Since we were kids, we’ve always been told to never trust strangers. A golden rule that made our life easier and safer. But this was true because the threats never came from a close friend or family member.

Today everything has changed. Or better off it has evolved. It is always good to avoid trusting strangers, but we also need to keep an eye on those we know very well. This rule should become a mantra for anyone who uses the web: from the everyday user to the top managers of an organisation. Today in fact, we want to talk about because one of the most popular computer scams of recent times: the Business Email Compromise (BEC), also known as the ‘CEO scam’.

An ever-evolving scam that continues to claim victims

These attacks have a particular target: C-levels, i.e. managers within a company who are able to move around money and authorise the payment of online transfers. The appropriation of their identity is fundamental in order to ask the figure in charge of making an urgent payment of fundamental importance. Needless to say, the sum to be paid into the bank account indicated in the email will then turn out to belong to a criminal organisation. By the time the organisation finds out, it will be too late.

What’s great (ironically speaking) is that with the latest deep fake techniques, which are getting better and better, cyber criminals are able to reproduce any person’s voice. Thus being able to easily deceive the recipient of the communication. When it is the boss himself who makes the voice request, the deception is “almost” perfect.

To all this, we must then add the increasingly sophisticated techniques of social engineering thanks to which hackers obtain information on potential victims, necessary to optimize and finalize criminal activities.

In fact, the success of BEC scams results not only from the theft of the C-level’s identity, but also from the detailed knowledge of the other people that are to be involved. It i also very important to learn and the tone, phrasing and communication that the manager uses, all to make the request for a purchase order or payment of an invoice absolutely credibl

What are the risks? Significant loss of data, breach of IT security systems, and considerable economic damage.

According to the FBI’s latest Internet Crime Report for 2020, this type of crime cost companies over $1.8 billion, accounting for 44% of all losses reported by businesses and individuals last year.

It was the FBI itself that warned about the evolution of BEC attacks. These can range from identity theft, to breaches of executive email accounts, fraudulent accounts, salary misappropriation, gift card requests, or shipment appropriation.

Last but not least, fraud related to vendor invoices, which turn out to be the cause of the biggest losses.

In short, the latest evolution of this crime is that instead of directly targeting companies, attacks are increasingly targeting customers, HR departments, suppliers, accountants, law firms, and even tax authorities. In addition to directly generating or diverting currency transactions, BEC scams have been used to divert tax returns and even transfer millions of dollars worth of hardware and equipment under the control of cybercriminals.

Few facilities have escaped it so far. In fact, this type of scam has affected 70% of businesses and organizations worldwide in all sectors, public and private.

This brings up the question: How do we defend ourselves

First of all, keep in mind that these days, it is better to be very careful and think carefully before acting, even if it is our boss or the most loyal of suppliers who writes or calls us. Moreover, remind yourselves how important is an effective and continuous training on cyber security awareness, without ever forgetting to follow some useful advice:


      • never lose focus and awareness of what you are doing and never act distracted;

      • always activate all the necessary checks before starting actions that could lead us very quickly to irreversible consequences;

      • never stop practicing quality training, both theoretical and practical.

    Cyber criminals slip through the cracks of distraction and unawareness. Keep those cracks shut.


    Articoli correlati

    Digital Operational Resilience Act (DORA)

    Digital Operational Resilience Act (DORA)

    The Digital Operational Resilience Act (DORA) is a EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025. It aims at strengthening the IT security of financial entities such as banks, insurance companies and investment firms and...

    read more