Electronic mail, also known as email, is one of the most important business inventions of the late 20th century. It allows professionals to quickly exchange messages between devices in close proximity or across the globe. Many of these messages carry instructions, commands, requests, attachments, and other types of communication.
Users in fast-paced work environments often put their faith in the email system to optimize productivity and workflow. And threat actors leverage this very faith in the system to initiate business email compromise (BEC) attacks so effectively. BEC scam and fraud is such a growing menace today, that the FBI has termed it as “one of the most financially damaging online crimes.”
Read this in-depth guide for more on:
Here is a quick business email compromise definition: BEC is a kind of cybercrime and social engineering attack where fraudsters use email to trick a target into sending money or sharing sensitive data for a financial crime. The threat actor may use email in different ways for a BEC scam, from a spoofing attack to an actual email account compromise (EAC).
Use your email’s anti-spam and anti-malware filters to block unsafe emails. Layer your email’s baked-in protection tools with security software to maximize your BEC defense. Consider encrypting sensitive data when sending it via email to prevent eavesdropping. Finally, flag emails where the from and reply email addresses mismatch.
MFA can mitigate the risk of a hacker using stolen login credentials to access an email account for a BEC scam. With MFA, a threat actor may need a second form of identification to access an email account. All high-risk employees in your organization, including executives, finance professionals, human resources, and administrators, must activate MFA on company email accounts.
Your organization can significantly improve its cybersecurity posture through training. Here are some practices employees should try to follow:
Work with your security team to conduct social engineering attack simulations. These exercises will keep your staff sharp and help identify weak links in the fight against business email compromise scams. Please also regularly update your policies and training to maintain your hardened cybersecurity posture.
Always use secure payment mediums. Avoid sending payments via gift cards or cryptocurrency deposits. When sending a bank transfer, crosscheck the banking information with your records.
Learning to recognize phishing emails is essential to reducing the risk of BEC scams. Here are some tips that can help employees authenticate emails:
Use anti-malware software on all devices for safety against spyware. We recommend that companies roll out endpoint protection software to shield desktops, laptops, and smartphones from malicious programs that can assist scammers with BEC.
Threats to your servers can be even more lethal than threats to your endpoints. After breaching your endpoints, threat actors can access critical data like financials, intellectual property, and more to create BEC scams that are almost identical to authentic emails. Invest in server security today to stop the loss of time, money, productivity, and your organization’s reputation.
Create security protocols to verify payment requests, emails, and inquiries from your suppliers and vendors. Authenticate any unusual requests, such as changes in contact or payment information.
A typical business email compromise attack typically involves multiple phases:
The attackers research the target, whether it’s an individual, like the CFO of a company or a travel agent at a small business, or a team, like an HR or accounting department at an organization. They may also gather intelligence on the target organization’s vendors, business partners, clients, employees, email systems, and cybersecurity measures.
The tools threat actors use for intelligence gathering include search engines and social media pages like LinkedIn. The objective of intelligence gathering is to develop an accurate profile for a compelling social engineering attack and identify the most vulnerable targets.
After gathering intelligence, the attackers determine the best methods and tools for the greatest ROI on the BEC attack. For example, they can use a spoofed email account, spoofed website, hacked email account, phishing attacks, or a computer or device infected with malware.
Depending on the nature of the attack, threat actors may use different social engineering tactics to groom their targets and eventually employ the powers of persuasion to trick them into making bad decisions. They may also try to replicate common workflows, such as asking for a password or sending an important document.
The goal of grooming can be any of the following:
While the nature of the execution phase depends on the type of attack, it almost always involves impersonation through email.
Here are some BEC scenarios:
Whether the hackers use spoofed emails, fake emails, or malware in a business email compromise scam, the objective is always monetary gain. The money often goes to offshore locations where it’s challenging to trace.
The FBI and several other experts describe business email compromise (BEC) and email account compromise (EAC) as the same thing. However, some experts call EAC a close variant of BEC. If you want to get down to the details, you can think of EAC as a subset of BEC.
In a nutshell, BEC is a catchall term for any type of email fraud that attackers use to trick victims into sending money. For example, attackers can use spoofed email addresses, spoofed websites, spear phishing, and hacked email accounts to execute a business email compromise attack.
EAC is a type of email fraud where attackers use a hacked email account. Typical ways for someone to hack an email account for EAC include phishing, brute force attacks, and credential stuffing. They may also utilize keyloggers to steal a victim’s login credentials.
The business email compromise vs phishing attack question may seem confusing, but it’s quite simple. A phishing attack is a kind of social engineering attack where attackers use compromised emails for various purposes, including identity theft, intellectual property theft, trolling, malware infections, intelligence gathering, and BEC.
For example, they may use spear phishing to hack a CEO’s email account or trick them into sending a wire transfer to a fraudster’s bank account. Spear phishing attacks that target CEOs for a BEC scam can also be defined as whale phishing.
Check our Cybersecurity Basics section if you’re wondering: What is a whaling attack?
BEC is an emerging crime that can impact an organization of any size or industry. Small and large organizations must take precautionary measures to mitigate the risk of business email compromise. Here are some of the most infamous recent examples of business email compromise incidents:
Dear [Your Name],
I hope this email finds you well. We have an urgent payment request that requires your immediate attention. Our company has recently provided services to your organization, and we have yet to receive payment for the outstanding balance.
As such, we kindly request that you make payment as soon as possible to avoid any further delay. Please find attached the invoice for your reference. The payment details are as follows:
Bank Name: [Bank Name]
Account Name: [Account Name]
Account Number: [Account Number]
Swift Code: [Swift Code]
Amount Due: [Amount Due]
We would appreciate it if you could settle this payment within the next 24 hours, and provide us with the confirmation details once payment is made. If you have any questions, please do not hesitate to contact us.
Thank you for your prompt attention to this matter.
Subject: Urgent Legal Matter - Please Respond ASAP
Dear [Your Name],
I hope this email finds you well. My name is John Smith, and I'm an attorney representing XYZ Corporation in a legal matter involving your company. Our client has instructed us to contact you directly regarding this matter.
It has come to our attention that there is an urgent matter that needs to be addressed immediately, and we request that you respond to this email as soon as possible. We would also like to schedule a phone call to discuss the details of the case.
Please note that this communication is confidential and privileged and should not be disclosed to any third parties without our express written consent.
Thank you for your attention to this matter.
Attorney at Law
Subject: Urgent Request - Wire Transfer
Dear [Your Name],
I hope you're having a productive day. As you know, we are in the middle of an important business deal that requires us to transfer a substantial amount of funds to our overseas partners. Unfortunately, there has been a delay in the processing of the wire transfer due to an issue with our banking system.
In light of this delay, I urgently request that you transfer the sum of [amount] to the following account [account details]. Please ensure that the transfer is processed immediately, as time is of the essence in this matter.
I understand that this is an unusual request, but I assure you that it is a necessary step to ensure success.
The main goal of business email compromise is to trick a target into transferring money, usually via wire transfer. Some fraudsters also ask for gift cards, while others try to steal confidential data to hack email accounts.
Although the goal of a BEC scam is almost always financial, attackers may use a combination of different methods to achieve their objectives, such as malware, fake invoices, impersonation, and spear phishing. The ultimate target of these attacks are people with the ability to send money, such as company executives, finance managers, and clients of law firms or real estate businesses. Vendors are also targets of these scams, especially in a targeted supply attack.
Business email compromise is a problem because emails can be vulnerable to different types of scams due to the fast-paced nature of modern workplaces, remote working, and the security vulnerabilities within email systems. In addition, many employees in hybrid work environments don’t have sufficient technology or training to defend themselves against cybercrimes.
BEC is also a significant problem because a successful attack can harm a company’s reputation, operations, and morale, and leave it open to fines and civil action.
For advanced cybersecurity, your organization should invest in a robust EDR platform. A top Endpoint Detection and Response mechanism can prevent different types of malware, including ransomware, from harming your business.
With cutting-edge technology and improved employee awareness, your organization can prevent losses to business email compromise attacks and optimize workflow confidently.
Signs and symptoms of business email compromise (BEC) attack, include:
The FBI has specially trained squads across the United States to investigate cybercrime. They request that victims of online or Internet-enabled crimes contact the Internet Crime Complaint Center (IC3) for help. The speed with which you report a crime can improve the outcome.
Cybercriminals from any corner of the world can be responsible for a BEC attack. However, many scams originate from overseas, where such crimes are harder to trace. BEC attacks target businesses of all sizes, governments, and organizations but more often small businesses are attacked. BEC is a type of phishing attack where the cyber attacker seeks to steal critical information, data, or money. HR and Financial departments are increasingly targets of BEC.
The main goal of business email compromise is to fraudulently gain money.
Select your language