Scammers bowl the International Cricket Council for a $2.5 mil duck

Understanding BEC and the risks to your own organisation

In a BEC attack, scammers target an organisation and try to deceive its employees into making fraudulent payments or revealing sensitive information. They typically do this through phishing, malware or compromising the email accounts of trusted contacts. 

This means that some BEC attacks don’t even require hackers to infiltrate your systems or data. Instead, they can use compromised accounts or data of vendors or consultants – or they can simply impersonate people like executives, suppliers or IT professionals and target employees when they know they’re most distracted or time-poor. 

Here’s an example of a hypothetical BEC attack. 

Other examples of BEC scams

If you think your organisation is too smart to get caught in one of these scams, think again. 

The ICC definitely isn’t alone. Some of the world’s most powerful brands and leading businesses have lost huge sums of money to BEC – sums that make $2.5 mil look a bit like pocket change.

1. Google and Facebook ($121 mil USD, total). Even tech-savvy employees can fall victim to BEC. Over the course of several years, the scammer posed as a hardware supplier to both companies and issued authentic-looking invoices.
2. Toyota Boshoku Corporation ($37 mil USD, total). In multiple payments, a subsidiary of Toyota paid roughly $37 mil to a scammer in 2019. Like most other BEC scams, this one targeted finance and AP professionals and used social engineering – not high-tech hacking – to get employees to hand over money.
3. Scoular ($17.2 mil USD). Scammers can be surprisingly sophisticated at impersonating trusted authorities and manipulating employees. In this case, the fraudster was able to swindle an employee by impersonating Scoular’s chief executive and claiming that the organisation was acquiring a Chinese company.

Learn more about BEC attacks and how to spot them.

A key component of BEC: social engineering

Social engineering is a cyber-crime tactic that relies on old-fashioned psychological manipulation to get access to valuable information or resources.

BEC scams rely on social engineering, which means that many of them aren’t technically sophisticated. That doesn’t mean they aren’t sophisticated at all, though – scammers can be unnervingly adept at impersonating executives or suppliers, waiting until strategic moments to make a move, and engendering trust with employees. 

For instance, they might create whole websites and branding to imitate suppliers, as they did in the BEC scam used against Google and Facebook. They can also use psychological tactics to gain employees’ trust or send urgent requests when they know the team is likely to be busiest. 

Why does this matter? While BEC scammers can benefit from infiltrating systems and exploiting vulnerabilities, many of the most lucrative cyber-crimes were carried out through social engineering tactics – not sophisticated hacking. This is especially critical for CFOs and other financial leaders, since their teams are the ones who are most likely to be on the frontlines against these types of scams. It’s also important because these are exactly the types of scams that your IT or security teams won’t be able to stop.

Like other BEC attacks before it, the ICC incident shows once more that security isn’t just an IT issue and that CFOs will need to reconsider traditional approaches to financial controls and supplier verification.

Otherwise, they may be leaving their organisations vulnerable to BEC and other online scams.