CEO Fraud and Business Email Comprise (BEC) phishing scams are multi-billion-dollar threats that are increasing in both frequency and complexity. Unlike traditional phishing attacks, which blanket a large number of employees in an organization, BEC attacks are incredibly focused and rely heavily on social engineering tactics to fool unsuspecting employees and company executives.
There are 5 types of Business Email Compromise Scams:
Fake Boss Scam / CEO Fraud A fraudulent email is sent from the CEO or an executive’s account to employees with urgent instructions to transfer money from the corporate bank account to the criminal’s account.
The Fake Invoice Scam A cyber criminal will use an employee’s email to send notifications to customers and vendors requesting payment to the criminal’s bank account.
Account Compromise This attack involves criminals hacking into an employee’s business email account and then emailing their customers to notify them that their payment did not go through and to resend funds to a different bank account owned by the cyber thieves.
Attorney Impersonation Criminals will impersonate a law firm’s email address to contact clients and ask that they pay money immediately to keep information confidential.
Data Theft These attacks aren’t trying to get funds routed into their bank accounts. Instead, criminals will compromise the email account of a company executive and request highly sensitive company documents, like financial records, or personally identifiable information. Cyber criminals tend to use Data Theft attacks to collect sensitive information to use for future attacks.
Because BEC scams don’t typically contain attachments or malicious links, they can evade traditional phishing solutions by slipping past spam filters and evading email whitelisting initiatives. These complex attacks also make it much harder for employees to identify that the email is not legitimate. Fraudsters will often carefully monitor and research unsuspecting targets and can effectively impersonate the CEO or other high-level executives.
To help thwart this kind of attack and educate your team, PhishingBox is launching a new feature: Phishing Reply Tracking.
This Phishing Reply feature will help companies spot this type of scam and allow them to deploy the necessary employee training and awareness to lower their risk.
Companies will now be able to track if users reply to simulated phishing campaigns and will capture the content of their response for you to review in the PhishingBox Portal. Given the huge monetary damages of internal spear phishing and/or whaling breaches, it’s crucial to know if your employees are responding to phishing emails and be aware of the content they are providing with their response. Identifying these vulnerabilities is a great first step to educate your staff and ensure that your users are following the best practices for handling phishing scams.
In our Template Library, you’ll see a new category of phishing templates named ‘Email Reply Templates’ that are designed to mimic Internal Company Emails and will test if your employees interact with the bad actors sending nefarious phishing emails. We have created a new category of system phishing templates called “Reply-To Online” which are specifically designed to test whether users will interact with “the bad guys” on the other end.
The ‘Phishing Reply Tracking’ feature will also work with all of PhishingBox’s existing templates, as well as any templates that you create or modify.
Additional Features of the Phishing Reply Tracking Function:
Store and review the content in your user’s Reply-To Email.
Ability to omit ‘Out of Office’ replies from your report metrics. This will ensure you’re getting the most accurate data possible.
Running simulated phishing tests will determine your employees' susceptibility to social engineering and phishing scams. Train your employees and help them identify spear phishing and ransomware attacks.