Email remains the foundation of communication, especially in business-to-business (B2B) relationships, but our reliance on it also makes it a popular target for sophisticated cybercriminals.
Additionally, news that Luxembourg-based chemical and manufacturing giant Orion SA was the target of a suspected criminal business email compromise (BEC) campaign, resulting in losses of approximately $60 million, has made fostering a culture of cybersecurity awareness and implementing robust verification protocols a top priority for prevention-focused B2B buyers and suppliers.
As seen in the Orion case, sophisticated BEC attacks exploit the trust and legitimacy of email communications in business relationships, resulting in significant financial and reputational damage.
In a Form 8-K filed with the U.S. Securities and Exchange Commission (SEC) on Aug. 10, Orion’s chief financial officer, Jeffrey Grazich, said that “our employees were the targets of a criminal scheme that facilitated multiple fraudulent transfers to accounts controlled by unknown third parties.”
“The company expects to record a one-time pre-tax charge of approximately $60 million for the fraudulent wire transfers that were not collected. … The company continues to investigate this matter and its impact on the company, including its internal controls. There was no impact to business and operations,” the filing added.
Unlike other forms of cyber attacks, BEC scams do not rely on malware or phishing links, but rather exploit the human element by exploiting the trust that exists in established business relationships. BEC scams are particularly effective in a B2B context due to the high transaction value, complex communication chains, global reach, and other factors such as time constraints.
Read more: Commercial bank fraud surge sees criminals targeting high-value transactions
All roads lead to bills
A BEC attack typically begins with cybercriminals gaining access to a company’s internal email account through phishing and social engineering tactics.
Once inside, attackers closely monitor email traffic to understand an organization’s internal processes, communication patterns, and key players. This reconnaissance phase can take weeks or even months, during which attackers gather the information they need to craft a convincing fraudulent email.
In the final step, the attacker sends a carefully crafted email, often pretending to come from a senior executive or a trusted business partner, instructing the recipient to transfer funds to a specific account or provide sensitive information. The email appears urgent and legitimate, taking advantage of the existing trust between the two parties to circumvent normal security checks.
A single successful BEC attack can generate millions of dollars in fraudulent profits, far exceeding the gains from targeting individual consumers: one third of all money lost to cybercrime is the result of BEC attacks.
“Fraudsters are adept at hacking email servers and manipulating employees into granting them access. Once they’re in, they can easily fool accounts payable (AP) and accounts receivable (AR) staff. Simply put, it’s very easy to target corporate payments these days. Therefore, organizations need to protect all payment types with technology-driven validation of payee and account details, and ensure all data and files related to payments are secured in a tamper-proof manner,” explained Nithai Barzam, COO at nsKnox, in an interview with PYMNTS.
Read more: Cybercriminals are invading corporate inboxes: What small businesses can do
As cybercriminals continue to refine their tactics, it is important for businesses to remain vigilant and adopt proactive defensive strategies, starting with instilling a culture of agility and awareness.
The first step in fighting deposit fraud is “recognizing that it’s not just an abstract threat. It can happen to any business,” Bob Bonacci, corporate controller at Ansys, told PYMNTS.
Additionally, many of the risk management leaders PYMNTS spoke with emphasized that the first line of defense is an organization’s employees, making individual education on attack tactics and best practice methods to counter them more important than ever.
Regular training sessions can help employees recognize the signs of BEC scams, such as unexpected changes in communication style or unusual requests to transfer funds. Employees should be encouraged to verify the legitimacy of any emails that seem suspicious, even if they come from known contacts.
Continuously monitoring your email accounts for unusual activity, such as login attempts from unfamiliar locations or unexpected changes in communication patterns, can also help detect BEC scams in their early stages.
Read more: Ansys, B2B, B2B fraud, B2B payments, BEC, Bob Bonacci, Business Email Compromise, Commercial Payments, Cyberattacks, Jeffrey Glajch, News, Nithai Barzam, nsKnox, Orion SA, PYMNTS News, Security & Fraud, Social Engineering
Source link
