Business Email Compromise
Business Email Compromise Overview
The cost and implications of Business Email Compromise (BEC) in recent years have become increasingly concerning. For example, according to an FBI report, BEC alone resulted in almost $2 billion in losses in 2019. In another report, the agency claimed that identified global losses have increased by 65% from July 2019 to December 2021. It is no wonder that organizations are bolstering their security to confront the rising specter of BEC.
But what is BEC and what is its goal? How can you spot the different forms of BEC attacks and protect your organization?
Business Email Compromise (BEC) Definition
What is Business Email Compromise? BEC refers to a type of phishing or social engineering attack that primarily targets senior executives and finance department staff. The malicious party launching the attack impersonates someone with decision-making authority, likely someone who can authorize a financial transaction, provide system access, or release sensitive data.
Since many organizations rely on email for internal communications, often, no one suspects the email is a phishing attack. If email security is not adequate, the attack may never be identified.
What is the Main Goal of BEC?
The main goal of a BEC attack is to steal money, gain system access, or compromise sensitive data by deceiving the recipient into thinking they have received a legitimate email from someone with authority. BEC attacks are launched in the hope that senior staff members use email to authorize actions, so the message does not raise suspicions.
Business Email Compromise: How Does BEC Work?
Early BEC attacks used email address spoofing to impersonate a senior-level executive, usually in the form of a message authorizing an urgent release of funds to a supposedly trusted supplier account. However, the account information would be fraudulent, and because of the urgency, the recipient would likely make the transfer quickly—before realizing the message was fake.
BEC attacks have since evolved. Rather than simply focusing on embezzling funds through fraud, the goal has included access to credentials, systems or accounts, and sensitive customer data.
How To Spot BEC Scams
BEC scams are designed to appear legitimate, but only at a glance. If you look closer, you will likely see the following telltale signs:
- Errors in spelling or grammatical oddities: Since the hacker is relying on limited information, odd details may be included in the message, such as the use of your full name (when co-workers call you by first name or nickname) or a generic greeting with no name at all. Additionally, hackers are not professionals in your industry, so there may be grammar, spelling, and other errors not common to your organization.
- Errors in the format or spelling of the sender’s address: If the hacker cannot use a legitimate email address to send the message, they will craft one that looks like the real thing. Look for missing letters, a dash instead of an underscore, and special characters that closely resemble letters of the alphabet, etc.
- Abnormal or unusual requests: The hacker may explain away a request that is abnormal or unusual by claiming it is a special circumstance or an urgent favor or requirement. If the request seems out of the ordinary, dig deeper to verify it is genuine.
Types of BEC Attacks
As the public became more aware of BEC scams and more organizations implemented safeguards to improve their security posture, scammers responded by evolving their methods. Here are some of the principal methods BEC criminals now use:
Bogus Invoice Schemes
In this type of attack, the perpetrator impersonates a “trusted” vendor and requests payment for services or products. The content of the message, the supposed sender, and the email format may look genuine, but the payment information is false and funds are fraudulently misdirected.
This type of BEC attack impersonates a company's CEO or another top-rank executive. The attacker asks the recipient to perform a specific action, usually either to authorize a payment, allow system access, or reveal sensitive data to another partner or associate.
This type of attack can only take place if an actual account is compromised. Rather than “spoofing” an email account, the scammer has access to a genuine account and misuses it to request payment or gain further access to a network or system.
This type of attack takes advantage of people who will likely respond to a request from an attorney or legal representative. It impersonates an attorney and usually targets low-level employees. The attacker typically labels the message as time-sensitive, urgent, or confidential, improving the chances that the recipient will act on it without scrutiny.
In this type of attack, the hacker impersonates someone in the finance or HR department, and the goal is to access sensitive employee or customer data to sell or misuse.
Cost of BEC to Businesses
Over the years, BEC attacks have taken a heavy toll, and the costs continue to rise as the attacks become more varied and complex. Consider these statistics:
- The FBI logged almost 24,000 BEC attack complaints in 2019, with losses totaling $1.7 billion.
- Between 2019 to 2021, global losses from BEC attacks increased by 65%.
- Between 2013 and 2021, BEC attack victims in the U.S. suffered losses amounting to almost $15 billion.
- In 2020 alone, 65% of businesses experienced BEC attacks.
Real-world Examples of BEC
Facebook and Google
One of the biggest BEC scams ever, this scam resulted in losses of about $121 million over a two-year period. The perpetrator and his associates set up a fake company with the same name as a genuine supplier. Then they issued invoices to Google and Facebook, which were then paid. The bank accepted the transfers due to fake contracts and documents provided by the fake company.
In 2019, a Toyota subsidiary was targeted by a BEC attack that ended up costing the parts supplier $37 million. Hackers convinced an employee to transfer the money long before the attack was detected.
One Treasure Island
One Treasure Island, a nonprofit based in San Francisco, was the target of a BEC attack that cost them over $600,000. The hackers compromised the email account of a third-party bookkeeper and manipulated an invoice, resulting in a loan intended for a partner organization to be transferred to the criminal’s bank account.
Government of Puerto Rico
In 2020, a high-level government employee was duped into transferring $2.5 million to a fraudulent bank account. This happened after receiving an email from another government employee—whose email account hackers compromised and used—informing them of a change in the banking details for remittance payments. The money was then transferred to the “new” bank account.
6 Ways to Mitigate the Risks of BEC Attacks
To effectively mitigate BEC attacks, a combination of staff awareness training, vigilance, and well-thought-out technological defenses is crucial. Email encryption, although effective, is just one component of a comprehensive email security strategy. No single effort is enough to repel all BEC attacks, so your security team should collaborate with employees at all levels to bolster the success of your security strategy.
Consider some of these email security best practices:
1. Educate Your Team on Cybersecurity and Business Email Compromise
Criminals understand that by subtly putting pressure on the recipient, they will likely fall for the deception. The pressure can take various forms:
- Communication from a superior
- A sense of financial or operational urgency
- A request from a trusted source
The deception, on the other hand, may take the form of impersonation, deceptive links, or email addresses the recipient is likely to trust. Some attacks are immediate and urgent, while other attacks “groom” the victim into trusting the source over a period of time. So train employees on how to prevent BEC by spotting these strategies by criminals. Awareness leads to vigilance.
2. Label External Emails
Email software can be configured to recognize and label external or spoofed email addresses. In this way, you isolate possible BEC attacks from everyday internal communications that are legitimate.
3. Verify Communications Before Taking Action
Again, training plays a role here. Employees should make it a habit to visually check for abnormalities before responding to an email that requires sensitive action. Also, when in doubt, a quick phone call may be enough to verify unusual or even abnormal requests.
4. Set-up Two-factor or Multi-factor Authentication
Some BEC attacks are successful because they use compromised account credentials. This can be avoided through two-factor authentication (2FA) or multi-factor authentication (MFA) for anyone accessing the system.
5. Use a Secure Email Gateway (SEG)
An SEG is a security solution that acts as a filter or checkpoint, inspecting external emails for malicious content before they are allowed entry into the organization's email server.
6. Set-up Antiphishing Protections
Antiphishing software can flag suspicious emails. It uses artificial intelligence (AI) to analyze and recognize potential BEC attacks.