Beware of Business Email Compromise (BEC) During Tax Season

Beware of Business Email Compromise (BEC) During Tax Season

Business Email Compromise (BEC) is an advanced email attack that essentially relies on using fake identities to fool victims while avoiding the use of detectable payloads such as URLs or attachments detection. Criminals usually disguise themselves as colleagues of a prospective victim or supplier of a prospective victimized organization and ask them to make a payment or send some sensitive data. Unlike typical spam, commercial email crime is sent as a scammer with social engineering skills. So that the intended victim will be led to perform risky behaviors. It is a scam based entirely on persuading prospective victims to send money or data.

There are three main types:

  • Spoofing: An attacker uses a router set up as a mail server to insert fake email messages into the mail flow.
  • Look-alike Domain: It means a spoofed domain name that appears to be similar to a trusted domain, but it is actually under the control of an attacker.
  • Display Name Deception Attack: The attacker will register a free email account, choose a name that matches the spoofed party, and set a display name.

According to a survey:

  • 12% of BECs are Spoofing
  • 7% are combinations of look-alike Domain and Display Name Deception Attacks
  • 81% are pure Display Name Deception Attacks.

Taking advantage of specific times of the year, such as the tax season, is attackers’ way to increase the chances of a successful BEC scam. As people are more likely to accept tax-related emails during the tax season, there are many ways to trick victims into providing detailed information, opening attachments, or clicking where they should not be used.

It’s common practice to have security awareness training once a year, but you need to train frequently if you want your employees to be properly equipped in the fight against scams. Being aware of higher-risk periods, such as the tax season, is a great way to strengthen and remind people of the training they receive. No in-depth technical training is necessary, but make sure they know the main red flags related to social engineering.


Contact LIFARS Immediately for

Your Cybersecurity Mitigation Plans