“Business Email Compromise” (BEC) represents a significant threat in the realm of cybersecurity, posing substantial risks to organizations of all sizes across various industries.
This fraudulent scheme involves cybercriminals manipulating or compromising email accounts to deceive individuals into performing actions or sharing sensitive information, often resulting in financial loss or data breaches. Let’s delve into the complexity of BEC and its impact on modern businesses.
Understanding Business Email Compromise (BEC)
BEC schemes typically start with hackers gaining access to a company’s email system or spoofing an email address to impersonate a trusted entity—such as a CEO, manager, or vendor.
They employ social engineering tactics, carefully crafting deceptive messages to manipulate employees into initiating wire transfers, disclosing confidential data, or executing unauthorized actions.
Figure1: shows the spoofed email sent by an attacker.
Variants of Business Email Compromise
Figure2: Pie chart describing the variants of BEC.
BEC manifests in diverse forms, including:
CEO Fraud: In this scenario, cybercriminals impersonate high-ranking executives within an organization, often the CEO or CFO. They craft convincing emails requesting urgent wire transfers or confidential information. The message might instruct an employee in the finance department to transfer funds to a specified account, appearing for a time-sensitive deal or an emergency. Despite the urgency conveyed, the request is fraudulent which will lead to financial loss.
Vendor Email Compromise: Hackers infiltrate the email accounts of vendors or suppliers with whom the targeted company regularly conducts business. They intercept communications and manipulate payment details, altering bank account information or invoice details. Subsequently, they direct payments to fraudulent accounts, diverting funds meant for legitimate transactions.
Data theft: Sometimes scammers start by targeting the HR department and stealing company information like someone’s schedule or personal phone number. Then it’s easier to carry out one of the other BEC scams and make it seem more believable.
False invoice scheme: Cybercriminals compromise an employee’s email account or spoof a vendor’s email address to send fake invoices or payment requests to the finance department. These fraudulent invoices appear legitimate, often including altered banking information or false payment instructions. Unaware employees might process these payments, resulting in financial loss for the company.
Lawyer impersonation: In this scheme, cybercriminals masquerade as legal representatives or law firms involved in ongoing business transactions or negotiations. They send emails persuading employees to transfer funds or share sensitive information related to legal matters, leveraging the perceived urgency and authority associated with legal proceedings.
Gift Card Scams: Another variant involves requests for gift cards. Cybercriminals compromise an executive’s email account and send requests to employees, posing as the executive, asking them to purchase gift cards for supposed company purposes. These emails often stress confidentiality and urgency, leading employees to purchase gift cards and share the codes, resulting in financial losses.
How Do BEC Attacks Work?
Figure 3: Steps an attacker follow to launch a BEC attack.
In a BEC scam, the attacker poses as someone the recipient should trust—typically a colleague, boss, or vendor. The sender asks the recipient to make a wire transfer, divert payroll, change banking details for future payments and so on.
BEC attacks are difficult to detect because they don’t use malware or malicious URLs that can be analyzed with standard cyber defenses. Instead, BEC attacks rely instead on impersonation and other social engineering techniques to trick people interacting on the attacker’s behalf.
Because of their targeted nature and use of social engineering, manually investigating and remediating these attacks is difficult and time consuming.
Below are the phases which an attacker could launch a BEC attack?
PHASE 1 – Email List Targeting
The attackers begin by building a targeted list of emails. Common tactics include mining LinkedIn profiles, sifting through business email databases, or even going through various websites in search of contact information.
PHASE 2 – Launch Attack
Attackers begin rolling out their BEC attacks by sending out mass emails. It’s difficult to identify malicious intent at this stage since attackers will utilize tactics such as spoofing, look-alike domains, and fake email names.
PHASE 3 – Social Engineering
At this stage, attackers will impersonate individuals within a company such as CEOs or other individuals within finance departments. It’s common to see emails that request urgent responses.
PHASE 4 – Financial Gain
If attackers can successfully build trust with an individual, this is typically the phase where financial gain or data breach is made.
Business Email Compromise (BEC) Statistics
- In 2023, the FBI received 41,832 BEC complaints, with estimated losses totaling more than $2.7 billion.
- There was a 65% increase in identified global exposed losses from Business Email Compromise fraud.
- The use of cryptocurrency in BEC-specific crimes was first identified in 2018 and has continued to skyrocket over the last four years. As of 2023, $40 million in losses has been reported in BEC/cryptocurrency complaints.
- Pretexting, including BEC, overtook phishing as the most prevalent social engineering tactic in 2023, with BEC attacks accounting for more than 50% of social engineering incidents.
- The median open rate for text based BEC attacks is nearly 28%. Abnormal Intelligence H1 2023 Report
- BEC was the attack vector for 9% of data breaches in 2023.
Business email compromise examples
Example #1: Pay this urgent bill.
Say you work in your company’s finance department. You get an email from the CFO with an urgent request about an overdue bill—but it’s not actually from the CFO. Or the scammer pretends to be your repair company or internet provider and emails a convincing-looking invoice.
Example #2: What’s your phone number?
A company executive emails you, “I need your help with a quick task. Send me your phone number and I’ll text you.” Texting feels safer and more personal than email, so the scammer hopes you’ll text them payment info or other sensitive information. This is called “smishing,” or phishing via SMS (text) message.
Example #3: Your lease is expiring.
A scammer gets access to a real estate company’s email, then finds transactions in progress. They email clients, “Here’s the bill to renew your office lease for another year” or “Here’s the link to pay your lease deposit.” Scammers recently swindled someone out of more than $500,000 this way.4
Example #4: Top secret acquisition
Your boss asks for a down payment to acquire one of your competitors. “Keep this just between us,” the email says, discouraging you from verifying the request. Since M&A details are often kept secret until everything is final, this scam might not seem suspicious at first.
Impact on Businesses
BEC schemes can result in substantial financial setbacks for organizations. Fraudulent wire transfers, diverted payments, or financial manipulation led to direct monetary losses, impacting revenue and financial stability.
Beyond financial repercussions, falling victim to BEC can tarnish a company’s reputation. Breached trust with customers, partners, and stakeholders can erode confidence and credibility.
BEC incidents often involve the compromise of sensitive data, triggering legal and regulatory implications. Failure to safeguard confidential information may result in compliance violations and penalties.
Multi-Factor Authentication (MFA)
Implementing robust security measures such as MFA adds an extra layer of protection against unauthorized access to accounts, reducing the likelihood of successful BEC attacks.
Secure Communication Protocols
Employing encryption, digital signatures, and secure communication channels can thwart unauthorized access and tampering of emails and data.
Email Filtering and Authentication
Implement a robust email filtering system that can detect and block suspicious emails, spoofed domains, or emails with malicious attachments. Implement email authentication protocols like DMARC (Domain-based Message Authentication, Reporting, and Conformance) to prevent domain spoofing.
Dynamic email classification
Once you’ve validated the identity of the email sender, dynamic email classification will look at the content and context of the email coming into your organization. This layer of security will look at the sender’s reputation, email relationship history, the email’s subject line, and more. You can score an email based on the likelihood that it is fraudulent and then decide what to do with emails based on their scores.
Vendor/Supplier Due Diligence
Verify the legitimacy of vendors or suppliers before engaging in financial transactions or sharing sensitive information. Establish secure channels for communication and payments with external parties.
Security awareness and training
Because impostor attacks are designed to bypass traditional security layers, people are often left as the last line of defense. You need a BEC solution that can simulate real-world impostor email attacks. You can track who is responding to these simulated attacks and train them accordingly. We should provide people with the knowledge and skills they need to protect your organization against these advanced attacks.
Below are some of the indicators we can teach the end users when looking at an email:
High-level executives asking for unusual information.
How many CEOs want to review W2 and tax information for individual employees? While most of us will naturally respond promptly to an email from the C-suite, it’s worth pausing to consider whether the email request makes sense. A CFO might ask for aggregated compensation data or a special report, but individual employee data is less likely.
Requests to not communicate with others.
Impostor emails often ask the recipient to keep the request confidential or only communicate with the sender via email.
Requests that bypass normal channels
Most organizations have accounting systems through which bills and payments must be processed, no matter how urgent the request. When these channels are bypassed by an email directly from an executive requesting, for example, that an urgent wire transfer be completed ASAP, the recipient should be suspicious.
Language issues and unusual date formats
Some lure emails have flawless grammar, and some CEOs write emails in broken English. But the presence of European date formats (day month year) or sentence construction that suggests an email was written by a non-native speaker are common in many of these attacks.
Email domains and “Reply To” addresses that do not match sender’s addresses.
Business Email Compromise emails often use spoofed and lookalike sender addresses that are easy to miss if the recipient isn’t paying attention. (for example, yourc0mpany.com instead of yourcompany.com).
Business Email Compromise poses a formidable threat, exploiting vulnerabilities in human behavior and technological systems. Combating BEC requires a multifaceted approach, encompassing employee awareness, robust cybersecurity measures, and a proactive security culture within organizations.
Remaining vigilant, investing in comprehensive cybersecurity strategies, and fostering a culture of skepticism towards unsolicited or unusual email requests are pivotal in fortifying defenses against BEC and safeguarding businesses from its detrimental impacts.