BEC has been around for so long that you can’t help but wonder why employees keep falling for these scams? In large part, it’s because the business world is practically set up to encourage it. The emphasis on increased productivity and automated business workflows means people perform a lot of repetitive tasks in a hurry, and rely on software to do the rest. Business processes like this open gaps for the type of social manipulation BEC thrives on. Payroll diversion fraud, for example, exploits human nature by impersonating employees well enough to pass quick visual scans by the recipient in HR. Once a request is okayed by the recipient, context-free workflows update direct deposit information to reroute payment to a criminal-controlled account or gift card, with no questions asked. Payroll diversion scams like this are so successful that they spiked 333% in the last half of 2020.

It makes sense that the most-targeted departments in any business would be the ones through which money passes. Accounts Payable is 61% more likely than other departments to be the target of BEC/VEC scams. For AP teams, working from home has made it challenging to get payments out to suppliers securely. Much like payroll diversion, the increased pressure on accounts payable combined with fragile network security and unfamiliar workflows left openings for fraudsters to take advantage of the disruption. According to the Association of Certified Fraud Examiners’s (ACFE) Fraud in the Wake of COVID-19 Benchmarking Report, 90% of the 2000+ respondents had seen increased cyber fraud during the July-August 2020 time period.

BEC is the number one way businesses become victims of fraud. It exploits people, which makes it cyber-by-association and therefore difficult to detect and even more difficult to stop altogether. Worse yet, it’s evolved beyond email and embraced encrypted internal messaging services as a delivery mechanism. Recently, hackers used stolen cookie files to perform an Account Takeover (ATO) of a user’s Slack account at Electronic Arts. This method allowed them to impersonate employees and convince IT to grant them a security token to access the company’s server. Two factors make impersonation scams like this easy to perpetrate: the enormous amount of stolen credentials available on criminal forums, and habitual password reuse. SpyCloud’s database of exposed user credentials reveals an all-time password reuse rate of 57% – and a 60% password reuse rate for breaches collected in 2020. The problem is only getting worse.

With so many credentials already available to criminals on the dark web, the ability to know which of your employees’ credentials have been exposed and force them to do a password reset observing NIST guidelines is a critical preventive measure for keeping business email accounts secure. Much like ransomware, a single compromised account can open the door to a successful BEC attack. Organizations cannot expect employees to do their jobs well and be watchdogs at the same time. But they can force them to be better stewards of their corporate credentials.