BUSINESS EMAIL COMPROMISE (BEC)

A type of phishing attack where criminals impersonate senior executives, or departmental authority figures, in order to socially engineer victims into sending financial or other sensitive information to the attacker.

There are various methods involved in BEC. One method attackers may employ is to use malicious software kits to gain access to a company's webmail exchange service. Once they have this access, they can then intercept invoices and alter payment details, or pose as senior employees to authorise transfers to fraudulent accounts.

Other methods include designing an email to look as authentic as possible. For example, a fraudster may register a domain which looks very similar to a pre-existing legitimate one, and attempt to solicit fraud using associated email accounts. This was raised in a recent ActionFraud report regarding university suppliers. The report highlighted how attackers are registering domains that are similar to genuine university domains such as xxxxacu-uk.org, xxxxuk-ac.org and xxxacu.co.uk.

These domains are used to contact suppliers and order high value goods such as IT equipment and pharmaceutical chemicals in the university’s name. The purchase order typically instructs delivery to an address, which may or may not be affiliated with the university. The items are then received by the criminals before being moved on, however no payment is received by the supplier.

 

ADVICE

  1. Educate and train staff to be aware of and recognise BEC.Consider running simulated BEC/phishing exercises.
  2. Agree secure processes between employees internally and externally for your organisation to confirm certain purchases. Consider segregating duties, and make certain that employees know their responsibilities with regard to these processes.
  3. Ensure that you verify and corroborate all order requests from new customers. Use telephone numbers or email addresses found on the retailers website – do not use the details given on the suspicious email for verification purposes.
  4. If the order request is from a new contact at an organisation that’s an existing customer, verify the request through an established contact to make sure it is legitimate.
  5. Check any correspondence and documents for inconsistencies in spelling, grammar and content – this can be a sign that fraudsters are at work.
  6. Install and frequently update antivirus and anti-malware software to protect against malicious software.
  7. Consider employing DMARC - a free email authentication solution from the Global Cyber Alliance (online setup can be found at https://dmarc.globalcyberalliance.org)
  8. Every Report Matters – if you have been a victim of fraud or cyber crime, report it to Action Fraud (either online at www.actionfraud.police.uk or call 0300 123 2040).

By using this website you agree to our use of cookies to enhance your experience. I understand

'In the Saddle' Charity Bike Ride

Following the success of the previous ‘Sponsored Jailbreak for BBC Children in Need’, the team at Blueloop felt they were long overdue to provide another Fundraising Event.We have finished

On Wednesday 15th August, it was National Cycle to Work Day and as a spin on the concept, the Directors and Staff decided to carry out a Sponsor Cycle Ride in aid of St Margaret’s Hospice.

LED Leisure very kindly donated the use of a Bike for the day which was very kindly delivered by Talon to Preston Road.

The team started at 8am and kept going throughout the day on a rota until 6pm that evening.

Group SponsorsWe were delighted to have a visit from Dave Woan, Yeovil Chamber, Richard Howes from KontrolIT and Stephanie Charles from LED Leisure who all took part with the team in achieving the spectacular 170 miles!

 

We really hope that you can help such a wonderful cause at:-

https://www.justgiving.com/fundraising/blueloopinthesaddle2018