Business Email Compromise (BEC), sometimes also referred to as “CEO Fraud”, is nothing but a modern twist on the financial scams of old. Cybercriminals engaging in BEC attacks rely on social engineering techniques such as phishing and spear-phishing, sometimes combined with credential harvesting and other attack patterns, to masquerade as an important company figure requesting information or the completion of an action by a lower-level employee.
At its heart, Business Email Compromise (BEC) is a deception game.
Spearphishing is a type of phishing attack which is targeted towards a specific individual, group of individuals or business as opposed to mass-phishing campaigns that target thousands of victims. Spearphishing emails are often designed to steal specific data, or install malware on the target’s computer or device.
Spear phishing attacks are not usually initiated by random cybercriminals, but rather, are more specific to the victim, and are more likely to be conducted by cybercriminals seeking financial and intellectual property gain.
Social engineering refers to a broad range of malicious methods of tricking, manipulating and exploiting people into performing actions or divulging sensitive information they otherwise wouldn’t.
Rather than breaking into a system through the use of a technical flaw, a social engineer would use techniques such as phishing or spear-phishing to lure their target into completing their desired action.
Social engineering attacks can be both targeted towards a specific individual, as well as generic.
Phishing is like fishing, hence the name. The attacker lures their target with bait, often by sending out disingenuous emails to a group of people, and waits for the victim to get hooked. Once hooked, the attacker can trick the victim into divulging sensitive information or carrying out an unintended action by posing as a legitimate and trustworthy entity. It’s also not like fishing, which refers to a harmless pastime.