HHS Health Sector Cybersecurity Coordination Center (HC3) released a sector alert on addressing the growing threat of Business E-mail Compromise (BEC) attacks. BEC is a sophisticated type of phishing scam where cybercriminals use emails to deceive individuals into transferring money or disclosing sensitive information. This tactic relies on social engineering, often impersonating trusted figures like chief executive officers (CEO) or vendors, making BEC particularly difficult to detect since emails generally do not contain malware or attachments.
BEC attacks have resulted in billions of dollars in losses worldwide. In 2023 and 2024 alone, the median loss from these scams was around $50,000. The Federal Bureau of Investigation reports that BEC incidents have affected victims across 186 countries, with a total loss exceeding $20 billion since 2013. BEC attacks can be targeted at key roles in organizations, including executives, finance employees, human resource managers, and new staff members.
The alert outlines various types of BEC attacks, such as CEO fraud, false invoice schemes, and data theft, and offers recommendations for defense, including heightened awareness and better email security practices. Organizations are urged to be vigilant and implement robust mitigation strategies to protect against this pervasive and costly threat. For further information, refer to the BEC Sector Alert.