What is business email compromise (BEC) and how to prevent BEC attacks

What is BEC?

Electronic mail, also known as email, is one of the most important business inventions of the late 20^th century. It allows professionals to quickly exchange messages between devices in close proximity or across the globe. Many of these messages carry instructions, commands, requests, attachments, and other types of communication.

Users in fast-paced work environments often put their faith in the email system to optimize productivity and workflow. And threat actors leverage this very faith in the system to initiate business email compromise (BEC) attacks so effectively. BEC scam and fraud is such a growing menace today, that the FBI has termed it as “one of the most financially damaging online crimes.”

Read this in-depth guide for more on:

1. What is business email compromise?
2. The main goal of business email compromise.
3. BEC attack examples.
4. How to prevent business email compromise.

Business email compromise definition: What is business email compromise (BEC)

Here is a quick business email compromise definition: BEC is a kind of cybercrime and social engineering attack where fraudsters use email to trick a target into sending money or sharing sensitive data for a financial crime. The threat actor may use email in different ways for a BEC scam, from a spoofing attack to an actual email account compromise (EAC).

How to prevent business email compromise

Secure email

Use your email’s anti-spam and anti-malware filters to block unsafe emails. Layer your email’s baked-in protection tools with security software to maximize your BEC defense. Consider encrypting sensitive data when sending it via email to prevent eavesdropping. Finally, flag emails where the from and reply email addresses mismatch.

Multifactor authentication (MFA)

MFA can mitigate the risk of a hacker using stolen login credentials to access an email account for a BEC scam. With MFA, a threat actor may need a second form of identification to access an email account. All high-risk employees in your organization, including executives, finance professionals, human resources, and administrators, must activate MFA on company email accounts.

Cybersecurity literacy

Your organization can significantly improve its cybersecurity posture through training. Here are some practices employees should try to follow:

• Never click unsolicited email links, as they may lead users to malicious websites or malware.
• Avoid sharing confidential information online, such as details of a business transaction or travel plans. Threat actors can use sensitive information to create more compelling spear phishing attacks.
• Think twice before downloading unknown software.

Business email compromise exercises

Work with your security team to conduct social engineering attack simulations. These exercises will keep your staff sharp and help identify weak links in the fight against business email compromise scams. Please also regularly update your policies and training to maintain your hardened cybersecurity posture.

Secure payments

Always use secure payment mediums. Avoid sending payments via gift cards or cryptocurrency deposits. When sending a bank transfer, crosscheck the banking information with your records.

Email authentication

Learning to recognize phishing emails is essential to reducing the risk of BEC scams. Here are some tips that can help employees authenticate emails:

1. Watch out for unusual terminology, strange greetings, or grammatical and spelling errors.
2. Avoid opening unsolicited attachments.
3. Be wary of requests for passwords or other sensitive data.
4. Always check the email address to ensure it matches the sender’s actual email.
5. Carefully scrutinize email requests for fund transfers.
6. Watch out for invoices with short payment notices.
7. Double-check unusual payment requests, even if they’re from entities you trust.
8. Investigate payment requests that require you to skip authorization checks.
9. Trust your instincts if you notice something unusual about a payment request. Take a deep breath and investigate first.

Endpoint security

Use anti-malware software on all devices for safety against spyware. We recommend that companies roll out endpoint protection software to shield desktops, laptops, and smartphones from malicious programs that can assist scammers with BEC.

Server security

Threats to your servers can be even more lethal than threats to your endpoints. After breaching your endpoints, threat actors can access critical data like financials, intellectual property, and more to create BEC scams that are almost identical to authentic emails. Invest in server security today to stop the loss of time, money, productivity, and your organization’s reputation.

Supply chain management

Create security protocols to verify payment requests, emails, and inquiries from your suppliers and vendors. Authenticate any unusual requests, such as changes in contact or payment information.

How does business email compromise (BEC) work?

A typical business email compromise attack typically involves multiple phases:

1. Intelligence Gathering

The attackers research the target, whether it’s an individual, like the CFO of a company or a travel agent at a small business, or a team, like an HR or accounting department at an organization. They may also gather intelligence on the target organization’s vendors, business partners, clients, employees, email systems, and cybersecurity measures.

The tools threat actors use for intelligence gathering include search engines and social media pages like LinkedIn. The objective of intelligence gathering is to develop an accurate profile for a compelling social engineering attack and identify the most vulnerable targets.

2. Planning

After gathering intelligence, the attackers determine the best methods and tools for the greatest ROI on the BEC attack. For example, they can use a spoofed email account, spoofed website, hacked email account, phishing attacks, or a computer or device infected with malware.

3. Grooming

Depending on the nature of the attack, threat actors may use different social engineering tactics to groom their targets and eventually employ the powers of persuasion to trick them into making bad decisions. They may also try to replicate common workflows, such as asking for a password or sending an important document.

The goal of grooming can be any of the following:

1. More intelligence gathering.
2. Dropping malware like Trojans or spyware.
3. Hacking an email account.
4. Preparing a target for the penultimate business email compromise attack phase.

4. Execution

While the nature of the execution phase depends on the type of attack, it almost always involves impersonation through email.

Here are some BEC scenarios:

1. Finance employees in an organization receive an email from a company executive requesting a payment transfer. The email is from a spoofed email account that appears real because the address is only slightly varied from the actual address.
2. The hackers send an email from a CEO’s hacked account to a business partner asking for a wire transfer for a business transaction.
3. Defendants in an ongoing case receive an urgent email from their attorney asking for a deposit to a bank account.
4. After gaining access to an A/R manager’s email account with malware, the scammers send invoices with their own bank account numbers to all the company’s customers.
5. An email from a hacked retailer’s account asks customers for sensitive information such as credit card numbers.

5. Monetary Gain

Whether the hackers use spoofed emails, fake emails, or malware in a business email compromise scam, the objective is always monetary gain. The money often goes to offshore locations where it’s challenging to trace.

BEC vs EAC

The FBI and several other experts describe business email compromise (BEC) and email account compromise (EAC) as the same thing. However, some experts call EAC a close variant of BEC. If you want to get down to the details, you can think of EAC as a subset of BEC.

In a nutshell, BEC is a catchall term for any type of email fraud that attackers use to trick victims into sending money. For example, attackers can use spoofed email addresses, spoofed websites, spear phishing, and hacked email accounts to execute a business email compromise attack.

EAC is a type of email fraud where attackers use a hacked email account. Typical ways for someone to hack an email account for EAC include phishing, brute force attacks, and credential stuffing. They may also utilize keyloggers to steal a victim’s login credentials.

BEC vs Phishing

The business email compromise vs phishing attack question may seem confusing, but it’s quite simple. A phishing attack is a kind of social engineering attack where attackers use compromised emails for various purposes, including identity theft, intellectual property theft, trolling, malware infections, intelligence gathering, and BEC.

For example, they may use spear phishing to hack a CEO’s email account or trick them into sending a wire transfer to a fraudster’s bank account. Spear phishing attacks that target CEOs for a BEC scam can also be defined as whale phishing.

Check our Cybersecurity Basics section if you’re wondering: What is a whaling attack? 

Types of business email compromise

1. Business email account takeover: These attacks usually target professionals such as executives or finance professionals. After hacking the account, the threat actor requests money from the victim’s contacts, such as clients or vendors.
2. Spear phishing: Spear phishing is a more focused version of phishing targeting an individual or small group of people. Unlike typical phishing attacks, spear phishing attacks are more dangerous because they are customized to deceive a specific target.
3. Malware: BEC fraudsters can use different types of malicious software to hijack a finance executive’s account to initiate various scams.
4. Data theft: The act of stealing data is sometimes a stepping stone for a BEC attacker. They can use stolen sensitive data to create more believable BEC scams or hack into email accounts.
5. CEO fraud: In this scam, fraudsters hack or spoof a senior executive’s email account to trick an employee, business partner, or vendor into sending funds, typically via bank transfer. A scammer may also ask for gift cards or demand sensitive information. 
6. Lawyer impersonation: Law firms are the target of such scams. After hacking a lawyer’s email account, the scammer will try to defraud the firm’s clients, usually with fake invoices.
7. False invoice scheme: The clients of law firms aren’t the only businesses victimized by fake invoice scams. Clients of real estate agencies, web designers, and other small to medium-sized businesses can fall prey to these BEC attacks.
8. Vendor email compromise: American and European companies with overseas suppliers are typical targets for this type of BEC attack. Scammers pretend to be suppliers asking for payment. Different time zones and language barriers add to the confusion, convincing companies to pay the urgent-looking fraudulent invoices.
9. Git card scams: Instead of asking for wire transfers, many low-level BEC fraudsters ask for payments via gift cards because such payment mediums are almost impossible to trace. However, gift card BEC scams are usually less financially damaging than wire transfer business email compromise scams.
10. Payment diversion scams: A scammer pretending to be a CEO may ask the finance department to halt an ongoing payment and send it to a different account, as per the “request of the vendor” in this type of fraud.
11. Man in the Middle (MitM) attack: A hacker intercepts traffic between two entities to gather intelligence or manipulate communication in a MitM attack. MitM can allow BEC attackers to steal login credentials to email accounts to start their fraud campaign.
12. Credential stuffing: When attackers “stuff” stolen “credentials” in a login system in hopes of gaining unauthorized access to an email account, the technique is called credential stuffing. Organizations that avoid changing passwords periodically are more prone to BEC scams fueled by credential stuffing.

Business email compromise examples

BEC is an emerging crime that can impact an organization of any size or industry. Small and large organizations must take precautionary measures to mitigate the risk of business email compromise. Here are some of the most infamous recent examples of business email compromise incidents:

1. 2013-2015: Technology leaders Facebook and Google lost over $120 million in a BEC scam that leveraged the name of a real hardware vendor.
2. 2015: IT business Ubiquiti lost over $45 million to a BEC scam where threat actors impersonated a vendor.
3. 2019: Renowned automobile company Toyota has been hit by several BEC attacks over the years. In 2019, a European subsidiary of the company lost nearly $40 million to a BEC scam.
4. 2020: Making headlines worldwide, the government of Puerto Rico was tricked by a scammer into sending $2.6 million into a fraudulent account.

Payment business email compromise example

Dear [Your Name],

I hope this email finds you well. We have an urgent payment request that requires your immediate attention. Our company has recently provided services to your organization, and we have yet to receive payment for the outstanding balance.

As such, we kindly request that you make payment as soon as possible to avoid any further delay. Please find attached the invoice for your reference. The payment details are as follows:

Bank Name: [Bank Name]

Account Name: [Account Name]

Account Number: [Account Number]

Swift Code: [Swift Code]

Amount Due: [Amount Due]

We would appreciate it if you could settle this payment within the next 24 hours, and provide us with the confirmation details once payment is made. If you have any questions, please do not hesitate to contact us.

Thank you for your prompt attention to this matter.

Sincerely,

[Name]

[Title]

[Company Name]

Legal business email compromise example

Subject: Urgent Legal Matter - Please Respond ASAP

Dear [Your Name],

I hope this email finds you well. My name is John Smith, and I'm an attorney representing XYZ Corporation in a legal matter involving your company. Our client has instructed us to contact you directly regarding this matter.

It has come to our attention that there is an urgent matter that needs to be addressed immediately, and we request that you respond to this email as soon as possible. We would also like to schedule a phone call to discuss the details of the case.

Please note that this communication is confidential and privileged and should not be disclosed to any third parties without our express written consent.

Thank you for your attention to this matter.

Best regards,

John Smith

Attorney at Law

CEO fraud business email compromise example

Subject: Urgent Request - Wire Transfer

Dear [Your Name],

I hope you're having a productive day. As you know, we are in the middle of an important business deal that requires us to transfer a substantial amount of funds to our overseas partners. Unfortunately, there has been a delay in the processing of the wire transfer due to an issue with our banking system.

In light of this delay, I urgently request that you transfer the sum of [amount] to the following account [account details]. Please ensure that the transfer is processed immediately, as time is of the essence in this matter.

I understand that this is an unusual request, but I assure you that it is a necessary step to ensure success.

Understanding the main goal of business email compromise

The main goal of business email compromise is to trick a target into transferring money, usually via wire transfer. Some fraudsters also ask for gift cards, while others try to steal confidential data to hack email accounts.

Although the goal of a BEC scam is almost always financial, attackers may use a combination of different methods to achieve their objectives, such as malware, fake invoices, impersonation, and spear phishing. The ultimate target of these attacks are people with the ability to send money, such as company executives, finance managers, and clients of law firms or real estate businesses. Vendors are also targets of these scams, especially in a targeted supply attack.

Risks of business email compromise (BEC)

4. Financial losses: Organizations can suffer significant financial losses.
5. Reputational damage: Business partners may lose trust in a company that’s deceived by a BEC scam.
6. Operational losses: Paying a scammer instead of the supplier can result in grave short-term and long-term cash flow challenges.
7. Compliance Issues: A data breach where sensitive client information is stolen can result in legal problems.

Related articles

• Malwarebytes Ransomware Review August 2022
• 5 Essential security tips for small businesses
• White paper: Malwarebytes best-informed telemetry: Unmatched threat visibility

• Gang arrested for SIM-swapping celebrities, stealing $100 million

• What is password manager?