Skip links

Defending Against Business Email Compromise: Business Protection Strategies

Jump To Section

Business Email Compromise Protection

Introduction

“Business Email Compromise” (BEC) represents a significant threat in the realm of cybersecurity, posing substantial risks to organizations of all sizes across various industries. 

This fraudulent scheme involves cybercriminals manipulating or compromising email accounts to deceive individuals into performing actions or sharing sensitive information, often resulting in financial loss or data breaches. Let’s delve into the complexity of Business Email Compromise and its impact on modern businesses.

Understanding Business Email Compromise (BEC)

Business Email Compromise(BEC) schemes typically start with hackers gaining access to a company’s email system or spoofing an email address to impersonate a trusted entity—such as a CEO, manager, or vendor. 

They employ social engineering tactics, carefully crafting deceptive messages to manipulate employees into initiating wire transfers, disclosing confidential data, or executing unauthorized actions. 

Employ Social Engineering Tactics

Figure1: shows the spoofed email sent by an attacker.

Variants of Business Email Compromise

Variants of BEC

Figure2: Pie chart describing the variants of BEC.

BEC manifests in diverse forms, including:

CEO Fraud: In this scenario, cybercriminals impersonate high-ranking executives within an organization, often the CEO or CFO. They craft convincing emails requesting urgent wire transfers or confidential information. The message might instruct an employee in the finance department to transfer funds to a specified account, appearing for a time-sensitive deal or an emergency. Despite the urgency conveyed, the request is fraudulent which will lead to financial loss.

Vendor Email Compromise: Hackers infiltrate the email accounts of vendors or suppliers with whom the targeted company regularly conducts business. They intercept communications and manipulate payment details, altering bank account information or invoice details. Subsequently, they direct payments to fraudulent accounts, diverting funds meant for legitimate transactions.

Data theft: Sometimes scammers start by targeting the HR department and stealing company information like someone’s schedule or personal phone number. Then it’s easier to carry out one of the other BEC scams and make it seem more believable.

False invoice scheme: Cybercriminals compromise an employee’s email account or spoof a vendor’s email address to send fake invoices or payment requests to the finance department. These fraudulent invoices appear legitimate, often including altered banking information or false payment instructions. Unaware employees might process these payments, resulting in financial loss for the company.

Lawyer impersonation: In this scheme, cybercriminals masquerade as legal representatives or law firms involved in ongoing business transactions or negotiations. They send emails persuading employees to transfer funds or share sensitive information related to legal matters, leveraging the perceived urgency and authority associated with legal proceedings.

Gift Card Scams: Another variant involves requests for gift cards. Cybercriminals compromise an executive’s email account and send requests to employees, posing as the executive, asking them to purchase gift cards for supposed company purposes. These emails often stress confidentiality and urgency, leading employees to purchase gift cards and share the codes, resulting in financial losses.

How Do BEC Attacks Work?

Business Email Compromise

Figure 3: Steps an attacker follow to launch a BEC attack.

In a BEC scam, the attacker poses as someone the recipient should trust—typically a colleague, boss, or vendor. The sender asks the recipient to make a wire transfer, divert payroll, change banking details for future payments and so on.

BEC attacks are difficult to detect because they don’t use malware or malicious URLs that can be analyzed with standard cyber defenses. Instead, Business Email Compromise attacks rely instead on impersonation and other social engineering techniques to trick people interacting on the attacker’s behalf.

Because of their targeted nature and use of social engineering, manually investigating and remediating these attacks is difficult and time consuming.

Below are the phases which an attacker could launch a BEC attack?

PHASE 1 – Email List Targeting

The attackers begin by building a targeted list of emails. Common tactics include mining LinkedIn profiles, sifting through business email databases, or even going through various websites in search of contact information.

PHASE 2 – Launch Attack

Attackers begin rolling out their BEC attacks by sending out mass emails. It’s difficult to identify malicious intent at this stage since attackers will utilize tactics such as spoofing, look-alike domains, and fake email names.

PHASE 3 – Social Engineering

At this stage, attackers will impersonate individuals within a company such as CEOs or other individuals within finance departments. It’s common to see emails that request urgent responses.

PHASE 4 – Financial Gain

If attackers can successfully build trust with an individual, this is typically the phase where financial gain or data breach is made.

Business Email Compromise (BEC) Statistics

  • In 2023, the FBI received 41,832 BEC complaints, with estimated losses totaling more than $2.7 billion.
  • There was a 65% increase in identified global exposed losses from Business Email Compromise fraud. 
  • The use of cryptocurrency in BEC-specific crimes was first identified in 2018 and has continued to skyrocket over the last four years. As of 2023, $40 million in losses has been reported in BEC/cryptocurrency complaints.
  • Pretexting, including BEC, overtook phishing as the most prevalent social engineering tactic in 2023, with BEC attacks accounting for more than 50% of social engineering incidents. 
  • The median open rate for text based BEC attacks is nearly 28%. Abnormal Intelligence H1 2023 Report
  • BEC was the attack vector for 9% of data breaches in 2023.

Business email compromise examples

Example #1: Pay this urgent bill.  

Say you work in your company’s finance department. You get an email from the CFO with an urgent request about an overdue bill—but it’s not actually from the CFO. Or the scammer pretends to be your repair company or internet provider and emails a convincing-looking invoice.

Example #2: What’s your phone number?

A company executive emails you, “I need your help with a quick task. Send me your phone number and I’ll text you.” Texting feels safer and more personal than email, so the scammer hopes you’ll text them payment info or other sensitive information. This is called “smishing,” or phishing via SMS (text) message.

Example #3: Your lease is expiring.

A scammer gets access to a real estate company’s email, then finds transactions in progress. They email clients, “Here’s the bill to renew your office lease for another year” or “Here’s the link to pay your lease deposit.” Scammers recently swindled someone out of more than $500,000 this way.4

Example #4: Top secret acquisition

Your boss asks for a down payment to acquire one of your competitors. “Keep this just between us,” the email says, discouraging you from verifying the request. Since M&A details are often kept secret until everything is final, this scam might not seem suspicious at first.

Impact on Businesses

Financial Loss

BEC schemes can result in substantial financial setbacks for organizations. Fraudulent wire transfers, diverted payments, or financial manipulation led to direct monetary losses, impacting revenue and financial stability.

Reputational Damage

Beyond financial repercussions, falling victim to Business Email Compromise (BEC) can tarnish a company’s reputation. Breached trust with customers, partners, and stakeholders can erode confidence and credibility.

Regulatory Consequences

BEC incidents often involve the compromise of sensitive data, triggering legal and regulatory implications. Failure to safeguard confidential information may result in compliance violations and penalties.

Mitigation Strategies (Business Email Compromise Protection)

Multi-Factor Authentication (MFA)

Implementing robust security measures such as MFA adds an extra layer of protection against unauthorized access to accounts, reducing the likelihood of successful BEC attacks.

Secure Communication Protocols

Employing encryption, digital signatures, and secure communication channels can thwart unauthorized access and tampering of emails and data.

Email Filtering and Authentication 

Implement a robust email filtering system that can detect and block suspicious emails, spoofed domains, or emails with malicious attachments. Implement email authentication protocols like DMARC (Domain-based Message Authentication, Reporting, and Conformance) to prevent domain spoofing.

Dynamic email classification

Once you’ve validated the identity of the email sender, dynamic email classification will look at the content and context of the email coming into your organization. This layer of security will look at the sender’s reputation, email relationship history, the email’s subject line, and more. You can score an email based on the likelihood that it is fraudulent and then decide what to do with emails based on their scores.

Vendor/Supplier Due Diligence

Verify the legitimacy of vendors or suppliers before engaging in financial transactions or sharing sensitive information. Establish secure channels for communication and payments with external parties.

Security awareness and training

Because impostor attacks are designed to bypass traditional security layers, people are often left as the last line of defense. You need a Business Email Compromise Protection solution that can simulate real-world impostor email attacks.  You can track who is responding to these simulated attacks and train them accordingly.  We should provide people with the knowledge and skills they need to protect your organization against these advanced attacks.

Red Flags/Indicators

Below are some of the indicators we can teach the end users when looking at an email:

High-level executives asking for unusual information. 

How many CEOs want to review W2 and tax information for individual employees? While most of us will naturally respond promptly to an email from the C-suite, it’s worth pausing to consider whether the email request makes sense. A CFO might ask for aggregated compensation data or a special report, but individual employee data is less likely.

Requests to not communicate with others.

Impostor emails often ask the recipient to keep the request confidential or only communicate with the sender via email.

Requests that bypass normal channels

Most organizations have accounting systems through which bills and payments must be processed, no matter how urgent the request. When these channels are bypassed by an email directly from an executive requesting, for example, that an urgent wire transfer be completed ASAP, the recipient should be suspicious.

Language issues and unusual date formats

Some lure emails have flawless grammar, and some CEOs write emails in broken English. But the presence of European date formats (day month year) or sentence construction that suggests an email was written by a non-native speaker are common in many of these attacks.

Email domains and “Reply To” addresses that do not match sender’s addresses.

Business Email Compromise emails often use spoofed and lookalike sender addresses that are easy to miss if the recipient isn’t paying attention. (for example, yourc0mpany.com instead of yourcompany.com).

Also read: Explore DDoS Attack Mitigation Techniques: Safeguard Your Network

Conclusion

Business Email Compromise poses a formidable threat, exploiting vulnerabilities in human behavior and technological systems. Combating BEC requires a multifaceted approach, encompassing employee awareness, robust cybersecurity measures, and a proactive security culture within organizations.

Remaining vigilant, investing in comprehensive cybersecurity strategies, and fostering a culture of skepticism towards unsolicited or unusual email requests are pivotal in fortifying defenses against BEC and safeguarding businesses from its detrimental impacts.

Picture of Kommuru Venkata Pardhasaradhi

Kommuru Venkata Pardhasaradhi

Suggested Reading

Ready to Unlock Your Enterprise's Full Potential?

Michael Woodall

Chief Growth Officer of Financial Services

Michael Woodall, as the Chief Growth Officer of Financial Services at Altimetrik, spearheads the identification of new growth avenues and revenue streams within the financial services sector. With a robust background and extensive expertise, Michael brings invaluable insights to his role.

Previously, Michael served as the Chief of Operations and President of the Trust Company at Putnam Investments, where he orchestrated strategic developments and continuous operational enhancements. Leveraging strategic partnerships and data analytics, he revolutionized capabilities across investments, retail and institutional distribution, and client services. Under his leadership, Putnam received numerous accolades, including the DALBAR Mutual Fund Service Award for over 30 consecutive years.

Michael’s dedication to industry evolution is evident through his involvement with prestigious organizations such as the DTCC Senior Wealth Advisory Board, ICI Operations Committee, and NICSA, where he served as Chairman and now holds the position of Director Emeritus. Widely recognized as an industry luminary, Michael frequently shares his expertise with various divisions of the SEC, solidifying his reputation as a seasoned presenter.

At Altimetrik, Michael plays a pivotal role in driving expansion within financial services, leveraging his expertise and Altimetrik’s Digital Business Methodology to ensure clients navigate their digital journey seamlessly, achieving tangible outcomes and exponential growth.

Beyond his corporate roles, Michael serves as Chair of the Boston Water & Sewer Commission, appointed by the Mayor of Boston, and is actively involved in various philanthropic endeavors, including serving on the board of the nonprofit Inspire Arts & Music.

Michael holds a distinguished business degree from Northeastern University, graduating with distinction as a member of the Sigma Epsilon Rho Honor Society.

Anguraj Kumar Arumugam

Chief Digital Business Officer for the U.S. West region

Anguraj is an accomplished business executive with an extensive leadership experience in the services industry and strong background across digital transformation, engineering services, data and analytics, cloud and consulting.

Prior to joining Altimetrik, Anguraj has served in various positions and roles at Globant, GlobalLogic, Wipro and TechMahindra. Over his 25 years career, he has led many strategic and large-scale digital engineering and transformation programs for some of world’s best-known brands. His clients represent a range of industry sectors including Automotive, Technology and Software Platforms. Anguraj has built and guided all-star teams throughout his tenure, bringing together the best of the techno-functional capabilities to address critical client challenges and deliver value.

Anguraj holds a bachelor’s degree in mechanical engineering from Anna University and a master’s degree in software systems from Birla Institute of Technology, Pilani.

In his spare time, he enjoys long walks, hiking, gardening, and listening to music.

Vikas Krishan

Chief Digital Business Officer and Head of the EMEA region

Vikas (Vik) Krishan serves as the Chief Digital Business Officer and Head of the EMEA region for Altimetrik. He is responsible for leading and growing the company’s presence across new and existing client relationships within the region.

Vik is a seasoned executive and brings over 25 years of global experience in Financial Services, Digital, Management Consulting, Pre- and Post-deal services and large/ strategic transformational programmes, gained in a variety of senior global leadership roles at firms such as Globant, HCL, Wipro, Logica and EDS and started his career within Investment Banking. He has developed significant cross industry experience across a wide variety of verticals, with a particular focus on working with and advising the C-Suite of Financial Institutions, Private Equity firms and FinTech’s on strategy and growth, operational excellence, performance improvement and digital adoption.

He has served as the engagement lead on multiple global transactions to enable the orchestration of business, technology, and operational change to drive growth and client retention.

Vik, who is based in London, serves as a trustee for the Burma Star Memorial Fund, is a keen photographer and an avid sportsman.

Megan Farrell Herrmanns

Chief Digital Officer, US Central

Megan is a senior business executive with a passion for empowering customers to reach their highest potential. She has depth and breadth of experience working across large enterprise and commercial customers, and across technical and industry domains. With a track record of driving measurable results, she develops trusted relationships with client executives to drive organizational growth, unlock business value, and internalize the use of digital business as a differentiator.

At Altimetrik, Megan is responsible for expanding client relationships and developing new business opportunities in the US Central region. Her focus is on digital business and utilizing her experience to create high growth opportunities for clients. Moreover, she leads the company’s efforts in cultivating and enhancing our partnership with Salesforce, strategically positioning our business to capitalize on new business opportunities.

Prior to Altimetrik, Megan spent 10 years leading Customer Success at Salesforce, helping customers maximize the value of their investments across their technology stack. Prior to Salesforce, Megan spent over 15 years with Accenture, leading large transformational projects for enterprise customers.

Megan earned a Bachelor of Science in Mechanical Engineering from Marquette University. Beyond work, Megan enjoys playing sand volleyball, traveling, watching her kids soccer games, and is actively involved in a philanthropy (Advisory Council for Cradles to Crayons).

Adaptive Clinical Trial Designs: Modify trials based on interim results for faster identification of effective drugs.Identify effective drugs faster with data analytics and machine learning algorithms to analyze interim trial results and modify.
Real-World Evidence (RWE) Integration: Supplement trial data with real-world insights for drug effectiveness and safety.Supplement trial data with real-world insights for drug effectiveness and safety.
Biomarker Identification and Validation: Validate biomarkers predicting treatment response for targeted therapies.Utilize bioinformatics and computational biology to validate biomarkers predicting treatment response for targeted therapies.
Collaborative Clinical Research Networks: Establish networks for better patient recruitment and data sharing.Leverage cloud-based platforms and collaborative software to establish networks for better patient recruitment and data sharing.
Master Protocols and Basket Trials: Evaluate multiple drugs in one trial for efficient drug development.Implement electronic data capture systems and digital platforms to efficiently manage and evaluate multiple drugs or drug combinations within a single trial, enabling more streamlined drug development
Remote and Decentralized Trials: Embrace virtual trials for broader patient participation.Embrace telemedicine, virtual monitoring, and digital health tools to conduct remote and decentralized trials, allowing patients to participate from home and reducing the need for frequent in-person visits
Patient-Centric Trials: Design trials with patient needs in mind for better recruitment and retention.Develop patient-centric mobile apps and web portals that provide trial information, virtual support groups, and patient-reported outcome tracking to enhance patient engagement, recruitment, and retention
Regulatory Engagement and Expedited Review Pathways: Engage regulators early for faster approvals.Utilize digital communication tools to engage regulatory agencies early in the drug development process, enabling faster feedback and exploration of expedited review pathways for accelerated approvals
Companion Diagnostics Development: Develop diagnostics for targeted recruitment and personalized treatment.Implement bioinformatics and genomics technologies to develop companion diagnostics that can identify patient subpopulations likely to benefit from the drug, aiding in targeted recruitment and personalized treatment
Data Standardization and Interoperability: Ensure seamless data exchange among research sites.Utilize interoperable electronic health record systems and health data standards to ensure seamless data exchange among different research sites, promoting efficient data aggregation and analysis
Use of AI and Predictive Analytics: Apply AI for drug candidate identification and data analysis.Leverage AI algorithms and predictive analytics to analyze large datasets, identify potential drug candidates, optimize trial designs, and predict treatment outcomes, accelerating the drug development process
R&D Investments: Improve the drug or expand indicationsUtilize computational modelling and simulation techniques to accelerate drug discovery and optimize drug development processes