1 00:00:00,06 --> 00:00:04,00 - Business email compromise, or BEC for short, 2 00:00:04,00 --> 00:00:07,04 is a cyber crime that can cost organizations a lot of money 3 00:00:07,04 --> 00:00:09,02 if they become victims. 4 00:00:09,02 --> 00:00:12,05 In this video, I'll cover what BEC attacks are 5 00:00:12,05 --> 00:00:14,09 and why they can be so dangerous. 6 00:00:14,09 --> 00:00:17,04 BEC attacks usually start with criminals 7 00:00:17,04 --> 00:00:20,09 hacking into email accounts and using them to pretend 8 00:00:20,09 --> 00:00:22,03 to be someone they're not. 9 00:00:22,03 --> 00:00:25,01 The criminals will then use the hacked email accounts 10 00:00:25,01 --> 00:00:27,06 to impersonate C-level executives, 11 00:00:27,06 --> 00:00:30,04 finance teams, or even suppliers. 12 00:00:30,04 --> 00:00:34,00 Their goal is to trick employees into making large payments 13 00:00:34,00 --> 00:00:37,03 or changing the payment process to send funds 14 00:00:37,03 --> 00:00:40,00 to a scammer's bank account. 15 00:00:40,00 --> 00:00:42,04 The most common way the email accounts are hacked 16 00:00:42,04 --> 00:00:44,09 is through a phishing attack. 17 00:00:44,09 --> 00:00:46,05 Since the BEC criminals 18 00:00:46,05 --> 00:00:48,07 are going after specific email accounts, 19 00:00:48,07 --> 00:00:51,00 this is considered spear phishing. 20 00:00:51,00 --> 00:00:54,00 I cover phishing in another video in this course. 21 00:00:54,00 --> 00:00:57,01 So, BEC attackers typically combine phishing, 22 00:00:57,01 --> 00:00:59,04 social engineering, and financial fraud 23 00:00:59,04 --> 00:01:01,05 to pull off these scams. 24 00:01:01,05 --> 00:01:02,09 And it's likely they'll soon add 25 00:01:02,09 --> 00:01:05,07 another technology to the mix; deepfake audio, 26 00:01:05,07 --> 00:01:08,00 generated by artificial intelligence 27 00:01:08,00 --> 00:01:11,05 to make the request even more convincing to the victim. 28 00:01:11,05 --> 00:01:14,09 I cover deepfakes in another video in this course. 29 00:01:14,09 --> 00:01:18,01 BEC criminals will sometimes try to use spoofed emails 30 00:01:18,01 --> 00:01:20,00 where the email header is forged 31 00:01:20,00 --> 00:01:22,07 to look like it's coming from somewhere it's not, 32 00:01:22,07 --> 00:01:24,04 or they'll use lookalike domains 33 00:01:24,04 --> 00:01:27,00 to try to make their email look legitimate. 34 00:01:27,00 --> 00:01:30,00 While these methods of faking email senders might be easier 35 00:01:30,00 --> 00:01:32,02 than hacking into an email account, 36 00:01:32,02 --> 00:01:35,03 they aren't as effective at tricking the victims. 37 00:01:35,03 --> 00:01:39,08 Variations of BEC attacks include the false invoice scam; 38 00:01:39,08 --> 00:01:43,05 tricking the finance team to send a vendor invoice payment 39 00:01:43,05 --> 00:01:45,06 to a fraudulent account. 40 00:01:45,06 --> 00:01:50,01 Payroll diversion; tricking HR to change the direct deposit 41 00:01:50,01 --> 00:01:53,08 banking information for an employee to send salary payments 42 00:01:53,08 --> 00:01:55,09 to a fraudulent account. 43 00:01:55,09 --> 00:01:59,06 CEO fraud; tricking the finance team to send 44 00:01:59,06 --> 00:02:02,02 an emergency wire transfer for the CEO, 45 00:02:02,02 --> 00:02:04,08 which goes to a fraudulent account. 46 00:02:04,08 --> 00:02:08,04 The gift card scam; tricking the victim to buy gift cards 47 00:02:08,04 --> 00:02:11,06 for staff or clients, then send the serial numbers 48 00:02:11,06 --> 00:02:13,07 of the cards to the attacker. 49 00:02:13,07 --> 00:02:16,06 And home buyer fraud; tricking home buyers 50 00:02:16,06 --> 00:02:20,02 into transferring funds to a fraudulent account. 51 00:02:20,02 --> 00:02:23,07 While BEC may not be the most common cybersecurity threat, 52 00:02:23,07 --> 00:02:27,04 it is easily the most costly type of cyber crime. 53 00:02:27,04 --> 00:02:30,05 According to the FBI, losses in the US alone 54 00:02:30,05 --> 00:02:36,09 to BEC scams in 2021 were nearly $2.4 billion. 55 00:02:36,09 --> 00:02:40,00 That's up more than 30% from the year before, 56 00:02:40,00 --> 00:02:44,03 showing that BEC attacks are effective and increasing. 57 00:02:44,03 --> 00:02:46,02 And those losses are just in the US, 58 00:02:46,02 --> 00:02:48,07 and just from the cases that are reported. 59 00:02:48,07 --> 00:02:51,05 The worldwide losses are much higher. 60 00:02:51,05 --> 00:02:54,06 The huge payoffs, ease of execution, and low risks 61 00:02:54,06 --> 00:02:56,09 of BEC attacks are attracting criminals 62 00:02:56,09 --> 00:02:58,09 all around the world. 63 00:02:58,09 --> 00:03:01,04 Because it's so attractive to attackers, 64 00:03:01,04 --> 00:03:04,06 we can expect business email compromise to be a big part 65 00:03:04,06 --> 00:03:08,00 of the cybersecurity threat landscape well into the future.