商務電子郵件詐騙(Business Email Compromise,簡稱BEC)是近年來常見之網路詐騙攻擊手段,由於金融貿(交)易公司對科技依賴性日益趨增,攻擊者利用國際間商業往來合作雙方之互信原則,以電子郵件、即時通訊軟體等工具,再利用跨國時間及距離之差異、組織內部流程之漏洞,以及人員疏忽等途徑,進而從中攻擊並謀取暴利,造成企業以及社會經濟之嚴重損失,受害之企業人數及金額為數甚多,儼然已成為全球企業刻不容緩,極需面對之問題。本文透過蒐集近十年BEC詐騙實例資料,對於受騙個案進行根本原因分析,並提出改善建議。 本研究以受害公司遭詐騙情形為例,對事件發生之根因採5W1H之方式作為根本原因分析工具加以研析,結果顯示,企業遭受商務電子郵件詐騙,主因包括內部流程不完善、人員培訓不足及技術手段不夠先進等問題,致造成重大損失。本研究建議,可透過強化內部審批機制,增加多層次驗證程序,同時對於所有涉及財務、會計及研發的人員,應強化進行資安培訓,使其具備識別潛在詐騙的能力。同時,建議企業應與時俱進,部署更先進的垃圾郵件過濾系統、即時監控系統以及定期進行內外部安全稽核,以避免商務電子郵件詐騙。;Business Email Compromise (BEC) is a common method of cyber fraud in recent years. As financial trading companies increasingly rely on technology, attackers exploit the trust principle between international business partners. They use tools such as email and instant messaging software, taking advantage of time and distance differences across countries, organizational process loopholes, and personnel negligence to carry out attacks and gain huge profits. This results in severe losses for enterprises and the socio-economy, with a significant number of affected companies and financial losses. It has become an urgent global issue that enterprises must face and address. This article collects data on BEC fraud cases over the past decade, conducts a root cause analysis of the incidents, and proposes improvement suggestions. This study uses examples of companies that fell victim to fraud, employing the 5W1H method as a root cause analysis tool to analyze the incidents. It finds that the primary causes are incomplete process planning and a lack of security awareness among personnel. Based on these findings, improvement suggestions are proposed.
