While cyber professionals are familiar with what BEC attacks aim to achieve — primarily, financial but also reputational damages — myriad obtuse terminology is commonly used interchangeably with the greater phishing attack lexicon to render the sector of attacks confusing and difficult to categorize.
But for those who are responsible for email threat mitigation, there are several clear instances of BEC attack techniques you should know. To paraphrase Sun Tzu, before you can defeat an enemy, you must first understand it.
Company Financials in the Crosshairs
BEC attacks begin with phishing emails meant to entice a recipient to conduct a task under the guise of a legitimate business activity. What makes them so effective is that the email commonly appears to come from a trusted sender, such as an authority figure. Typically, the cybercriminal will ask for some form of monetary payment or to enter credentials to steal employee personally identifiable information or sensitive company data, such as wage or tax forms, Social Security numbers, and bank account information.