Key Takeaways

  • The Scale: BEC costs businesses $43 Billion globally (FBI stats). It steals far more money than Ransomware.
  • The Method: Hackers compromise a vendor's email. They wait for an invoice to be sent, then intercept it and change the Bank Account Number (IBAN) to their own.
  • No Malware: Often, there is no virus. It's pure psychology and text. Antivirus cannot stop it.

The attackers research the target on LinkedIn. They know who the CFO is. They know who the CEO is. They know when the CEO is on vacation (perfect time to fake an "Urgent" request).

Types of BEC

1. CEO Fraud

An email from `[email protected]` (typo-squatting via `company.com` vs `compamy.com`) says: "We are acquiring a company in China. Send $1M deposit now. Keep it secret."

2. Invoice Manipulation

A legitimate supplier emails you: "Hey, our bank changed. Please update payment details." The email is real (hacked account), but the bank details are the hacker's mule account.

3. Data Theft

Targeting HR to ask for W-2 forms (Tax forms) of all employees. This allows Identity Theft for tax fraud.

DMARC, SPF, DKIM

These are 3 DNS records that prevent email spoofing. If configured correctly (Reject policy), they stop hackers from sending emails that create the illusion of coming from your domain. Sadly, 50% of the Fortune 500 don't use them correctly.

Frequently Asked Questions (FAQ)

Can I get the money back?
If you catch it within 24 hours (The "Kill Chain"), the FBI/Bank might freeze it. After 48 hours, it's usually laundered into Crypto and gone forever.
What is the defense?
Call Verification. If an email asks for money, pick up the phone and call the person on a known number. "Did you just ask for a transfer?" 99% of BEC fails this test.

When the threat is your own employee.
Read Insider Threat Guide