Table of contents
- What is Business Email Compromise?
- How Does Business Email Compromise Work?
- Business Email Compromise vs Phishing
- Types of Business Email Compromise
- Why it is Hard to Detect Business Email Compromise
- How to Detect a Business Email Compromise Attack[Checklist]
- How to Prevent Business Email Compromise Attacks
- 3 Real World Examples of BEC Scams
- 5 Tools to Help Prevent BEC Attack
Between October 2013 and December 2023, 158,436 U.S. BEC attack victim complaints were reported to the IC3 department, resulting in a total U.S. exposed dollar loss of $20 089 561 364. This shows how dangerous and widespread BEC attacks can be.
This article will explore everything you need to know about Business Email Compromise(BEC), how to prevent it, and the red flags to look out for in emails to help detect a scam email.
What is Business Email Compromise?
Business Email Compromise is a type of cyberattack in which an attacker uses email to target organizations and deceive employees, business partners, or customers into sharing confidential data or transferring funds.
In BEC attacks, the identity of someone, either a company executive, a trusted vendor, or a colleague, is impersonated to gain the victim's trust. The attackers often leverage urgency, authority, or emotional strategies such as praise to trick the recipient into action.
How Does Business Email Compromise Work?
BEC attacks are highly targeted and well-researched, as the attackers try to ensure that every communication touch point seems like a normal conversation. Here is a breakdown of how the Business Email Compromise works.
Research
The attacker often begins by gathering as much information as possible about the target organization and its employees. The aim is to identify individuals with access to confidential and sensitive resources that can be exploited.
Initial Contact
The attacker moves from the research phase to establishing initial contact by either email spoofing a trusted entity or compromising that person's email account.
Manipulation
Once initial contact is established, the attacker uses psychological tactics to pressure the targeted victim into taking action by either creating urgency or exploiting authority. If this phase is successful, the organization will lose either funds or confidential information to an attack.
To avoid detection or tracing an attack, the attacker deletes all sent emails or alters email forwarding rules in compromised accounts.
Business Email Compromise vs Phishing
Business Email Compromise (BEC) is a highly sophisticated and well-targeted cyberattack that uses email to exploit trust by impersonating high-ranking corporate officials, vendors, or employees and deceiving specific individuals for financial gain or data theft. In a BEC attack, the attackers leverage technologies like artificial intelligence(AI) and Machine learning(ML) to thoughtfully research their targets and craft compelling messages that appear authentic.
Phishing, on the other hand, is a broad cyberattack in which the attacker uses mass emails with malicious links and attachments to deceive victims into providing sensitive information or downloading malware.
Types of Business Email Compromise
There are several types of business email compromise attacks. In this section, we will explore the most common ones.
CEO Fraud
CEO fraud is a type of BEC scam in which attackers impersonate the CEO or another high-ranking executive in the organization, such as the CFO or CTO, and send an email to a lower-level employee requesting urgent actions, such as an urgent wire transfer or the sending of sensitive company data.
If data is successfully obtained, it can be used for other cybercrimes, such as identity theft or corporate spying, which is very harmful and can damage a company's reputation.
Invoice or Vendor Fraud
In the Invoice or vendor fraud type of BEC scam, attackers often target the accounts payable department by impersonating a trusted vendor and manipulating legitimate invoices or redirecting payment details to accounts controlled by them.
This type of BEC scam requires extensive research, as the attacker needs to know the supplier's details and the amount of invoices.
Thread Hijacking
This type of attack often involves the fraudster invading and exiting an email conversation and trying to divert payments into their account or steal information that can be used to perpetuate further scams. Attackers who take this route usually wait for the right time to strike after gaining access to an email account.
Account Compromise
Account compromise is a BEC scam in which attackers gain access to a corporate employee’s account through phishing or brute force. They use it to send fraudulent messages to colleagues, partners, or clients, often requesting vendor invoice payments or sending sensitive data.
Legal Impersonation
Legal impersonation, also known as attorney impersonation, is a scam in which fraudsters target victims by impersonating lawyers or legal representatives associated with a company to pressure employees into urgent actions such as requesting wire transfers or the submission of sensitive documents.
Payroll Diversion
This BEC attack focuses on impersonating an employee to request the redirection of payroll funds, which will be diverted into the fraudster's account during the next payroll cycle. The attacker targets HR or payroll departments.
Why it is Hard to Detect Business Email Compromise
Business Email Compromise (BEC) is a challenging cyberattack to detect due to its minimal technical indicators and high reliance on human psychology. In this section, we will explore four reasons why BECs are hard to detect.
Lack of Malware or Suspicious Attachment
Most BEC attackers rely on highly targeted and crafted social engineering emails that mimic legitimate communication and do not rely on malicious links, malware, or attachments. Since the email contains no attachments or suspicious links that indicate compromise, email security software may fail to flag these messages as threats, and victims often fall prey, thinking they are trusted emails.
Use of Email Spoofing and Domain Impersonation
In a BEC attack, attackers often create email addresses that are almost similar to their target's actual email addresses. This action makes spotting discrepancies in email addresses hard for employees. The attacker can make small changes to the actual IDs, such as replacing an ‘o’ with a ‘0’, swapping a “.com” domain for “.co,” or totally leaving a letter out.
Personalized Attacks
As part of a BEC scam, attackers often conduct in-depth and extensive research on their targets. They could spend the bulk of their time trying to study how a target communicates in an email, learning about the organization, etc. This enables them to create more personalized emails by referencing names, projects, or events in the same tone the target often uses.
Legitimate Email Addresses
Attackers sometimes gain access to a legitimate email account through phishing or brute-force attacks. This gives them access to send emails from this compromised account. It is generally difficult to distinguish this scam from genuine communication since it is sent from a trusted source.
How to Detect a Business Email Compromise Attack[Checklist]
While a Business Email Compromise scam may be tricky to detect due to how personal and well-thought-out it may be, it usually has some red flags. Here are seven red flags that can help you identify a BEC attack. Download your checklist.
Odd Email Addresses
Attackers often use email addresses similar to the target's but with subtle differences. One way to detect this is to double-check the sender’s email address rather than display the name.
Unusual Requests
In BEC scams, attackers request the exposure of sensitive information or the transfer of funds. Be cautious of emails containing strange or confidential requests.
Changes to Payment Details
These emails often request updates to payment instructions. Always look for and confirm such changes via other communication channels.
Suspicious Login Activity
In cases of an account takeover, you may receive a notification of login attempts. Ensure you enable alerts for suspicious activities to allow you to track login attempts and identify unauthorized access.
Request for Confidentiality
Attackers often understand that if victims contact the supposed sender over alternative communication channels, they may discover that the email is fake. To prevent this, they ask victims to keep the request secret and only communicate through email.
Urgency and Pressure
A major component of these emails that makes them successful is the use of psychological triggers such as urgency and pressure. In these emails, you will likely see words that make them appear urgent and spur the victim into immediate action.
Inconsistent Language Formatting and Tone
While BEC scammers often take the time to mimic professional tones, subtle grammatical errors, awkward phrasing, or inconsistent language may be used in these emails.
How to Prevent Business Email Compromise Attacks
Preventing BEC scams requires the adoption of several actionable strategies. Here are six strategies you can combine to prevent business email compromise in your organization.
Strengthen Email Security
You can significantly reduce the likelihood of BEC scams by implementing technical controls limiting the risk of unauthorized access. Some technical controls that can be put in place are
Email authentication protocols such as SPF ensure emails are sent from authorized servers; DKIM verifies email content integrity and authenticity, and DMARC prevents the unauthorized use of your domain in email spoofing.
Multi-factor authentication requires a second verification form before you can access your email account.
Advanced Threat Protection uses email filtering systems to detect and block suspicious attachments or links.
Strong Password
Employee Education and Cyber Awareness
Training employees to recognize and respond to potential scams is paramount, as BEC scams are heavily dependent on human error. Organize mock phishing campaigns to test employees' ability to detect scams. Lastly, encourage all employees to always double-check unusual requests, especially those involving financial transactions or sensitive data.
Establish Strong Internal Protocols
BEC scams often require the urgent transfer of funds or sensitive information. As such, you should set clear guidelines for handling financial and sensitive information. For example, adopt a protocol that often requires verbal or in-person confirmation before sending any payment request or sensitive information. Also, consider assigning different personnel to initiate and approve financial transactions.
Invest in Cybersecurity Tools
Investing in technological solutions that help protect you against cyber threats shouldn’t be considered a cost but an investment capable of saving you a ton of funds. Consider investing in AI-powered threat detection, Endpoint protection, and Data loss prevention tools.
Consistently Monitor and Report all Suspicious Activities
Ensure you monitor login activity. Most cybersecurity tools can flag logins from unusual locations or devices, giving you an advantage in the early detection of these activities. As a security practice, always review email forwarding rules to redirect emails without the user’s knowledge. Lastly, a clear response plan to BEC attacks should be developed, including notifying stakeholders and reporting such incidents to relevant authorities.
3 Real World Examples of BEC Scams
Several companies have fallen prey to the hands of BEC attackers. Here are three of such companies.
Facebook and Google BEC Scam
From 2013 to 2015, Evaldas Rimasauskas carried out a $100 million phishing scam targeting Facebook and Google. He did this by impersonating Quanta Computer, a legitimate electronics manufacturer, and sending phishing emails to employees of both companies, tricking them into wiring money to fraudulent accounts.
He also allegedly forged the signatures of company executives on documents to withdraw funds from banks in multiple countries.
Toyota BEC Scam
Toyota Boshoku, a supplier of Toyota car interiors, fell victim to a business email compromise in August 2019. This led to the transfer of approximately $37 million to the attackers. This scam involved Toyota Boshoku’s European subsidiary being deceived into wiring funds to a bank account controlled by the fraudsters.
Ubiquiti Network BEC Scam
Another BEC scam was Ubiquiti Networks, which occurred in 2015. The company, led by Robert Pera, lost $46.7 million in a BEC scam involving employee impersonation and fraudulent wire transfer requests.
Over 17 days, the company made 14 wire transfers to accounts in several countries and only learned that this was a scam after being contacted by the FBI.
The attackers impersonated Robert Pera and a lawyer from Latham & Watkins, using fake email accounts to request funds transfer for a supposed acquisition.
5 Tools to Help Prevent BEC Attack
With the rise and sophistication of BEC scams, protecting your organization from them is essential. Here are five security tools designed to help you prevent business email compromise.
Microsoft 365 Defender
Microsoft Defender for Office 365 helps protect your organization by offering several solutions to detect suspicious emails. It allows you to automatically check email authentication standards, detect spoofing, and send emails to quarantine folders. You can also check domain-wide email patterns and get a highlight of unusual activity.
Proofpoint
Proofpoint offers an end-to-end integrated solution to fight business email compromise. It addresses the various tactics used in email fraud attacks, such as lookalike domains and domain spoofing.
It also uses Advanced BEC defense to detect and stop email attacks effectively.
Perception Point
Perception Point has anti-BEC layer technology that leverages various technologies and specializes in detecting Business Email Compromise attacks, even when malicious files or URLs are absent. It protects organization assets by validating the authenticity of an email ender, analyzing the language, time, and communication patterns for suspicious behavior, and also employing AI/ML-powered behavioral analysis algorithms.
Cloudflare Area1 Email security
With Cloudflare Area1 Email Security, you can easily block and isolate phishing threats, business email compromise, and multi-channel attacks.
It enables you to detect deceptive attacks, such as attempts to impersonate employees and vendors to steal data and extract funds.
Abnormal Security
Abnormal Security uses artificial intelligence to model normal behavior based on thousands of identity attributes to detect impersonation easily. It does this by leveraging past communication and relationship patterns to detect behavioral anomalies, even if the email comes from a legitimate domain.