Business Email Compromise, or BEC, is a type of scam where cybercriminals impersonate trusted parties, such as the CEO, business partners, or other executives in a company. The goal is to try and defraud companies of important assets by successfully tricking email recipients into handing over sensitive information and/or data.
Similar to other types of phishing attacks, BEC relies heavily on social engineering to work. Most times, you won’t even find malicious links or attachments. This renders BEC attacks incredibly difficult to detect by the cybersecurity tools you have.
Why Do Attackers Commit BEC?
These scams are often financially motivated, with attackers asking you to do an urgent wire transfer. It’s also common for attackers to pose as the CEO or a vendor and ask personnel with financial access to re-route a wire transfer to a fraudulent bank account. If you have foreign suppliers, this type of scenario might be even more common.
Although usually there’s some kind of financial transaction involved, attackers might also use BEC to retrieve sensitive data that they can then use in another attack or to sell on the dark web.
For example, cybercriminals might aim for your login credentials instead so they can take over your accounts and use them in a later attack. Additionally, sensitive information, such as Personal Identifiable Information (PII), is also a tangible good to attackers. They can often sell this information to buying parties.
The Massive Cost of BEC to Businesses
In 2020, the FBI determined BEC as the costliest cyber attack. This annual FBI report also shares that there were 19,369 BEC complaints recorded, with an adjusted loss of approximately $1.8 billion. For comparison, total cyber attack complaints for 2020 amounted to 791,790, with the total adjusted loss of $4.1 billion.
What does this mean exactly?
Well, BEC only made up 2% of the total number of complaints. Yet, it managed to account for almost half of the total loss suffered in 2020.
Differences from Email Account Compromise
Email Account Compromise (EAC), specifically, involves advanced techniques that hackers use to gain unauthorized access to a legitimate email account.
Often, EAC is thought to be synonymous with BEC. A big portion of BEC attacks is launched from compromised email addresses, which might be where the confusion stems from.
That said, a BEC attack doesn’t have to be done from a compromised account. Sending emails from a legitimate address adds another layer of authenticity. However, it requires attackers to infiltrate the email first, which requires deep technical knowledge and more resources than hackers may be willing to exert.
BEC itself doesn’t require hackers to have such expertise. Resources are usually spent more on the research portion of the attack. Plus, there are easier techniques to gain trust from a target, such as:
- Email spoofing: SMTP, the protocol used to send emails, doesn’t have authentication protocols built into it. (To do this, email service providers usually do authentication checks by checking the email’s SPF, DKIM, and DMARC records, which will help you weed out spoofed emails.) Without these authentication protocols, or unless you pay careful attention to the sender details, attackers can simply fake the display name and sender address of incoming email messages.
- Lookalike domains: There are dozens of domains that look just like yours; it’s hard to keep track of them all. Attackers take this opportunity to buy these lookalikes and appear legitimate to unsuspecting users. For example, if your domain is called ‘securityfirm.com’, the attacker might purchase ‘security-firm.com’ and use that in their BEC attack instead.
5 Common Types of Business Email Compromise Attacks
There are five types of BEC attacks according to the method used in the attack. Let’s take a detailed look at them below.
1. CEO Fraud
In a CEO fraud attack, scammers impersonate someone with executive authority within the company, such as the CEO or other C-suite executives with an official business email account. These two are the most prominent signals of a BEC attack:
- A sudden, unexpected, and urgent request
- A scenario where you can’t verify the transaction with anyone else
CEO fraud takes advantage of the power dynamic within the company. That, combined with social engineering tactics like urgency, scarcity, and specificity, is oftentimes enough for attackers to persuade the target to do what they request.
A common scenario for CEO fraud is when an attacker poses as a CEO and sends an urgent request for a transfer of funds to someone in the finance department.
The CEO could say that they’re in a meeting with a vendor and just found out that the last payment didn’t go to their new account. The CEO might then request a junior-level accountant to pay right now so they can maintain a good relationship with the vendor.
Another common play is posing as an executive and mentioning that they’d like to appreciate employees with gift cards. Then, they’d ask the target to help them purchase the gift cards using company funds but to keep it a secret because they want it to be a surprise.
2. Account Compromise
With email account compromise or account takeover, attackers use a compromised account to launch their attack. Given that it comes from a legitimate email address, the email won’t trigger any security notification from the target’s email security tools. Additionally, if it’s an email address the recipient is familiar with, they might let their guard down.
Attackers might launch this attack against a client and ask them to update the payment details they have on-hand with a fraudulent bank account instead.
Having a legitimate email account also makes it easier for hackers to internally request sensitive data, especially if the compromised account has a high level of security permission.
3. Attorney Impersonation
As the name suggests, hackers impersonate the legal professionals you’re working with. People often panic when they hear legal troubles, which might be why attorney impersonation works so well.
The target for attorney impersonation is usually low-level employees with no way to validate the request. The “legal” or administrative request will usually come at the end of the workday when recipients don’t really have anyone to consult with. And since it’s something that appears confidential and urgent, the unwitting employee obliges the request anyway.
4. Data Theft
Instead of money, attackers in a data theft aim for personal or sensitive information that can be used for future attacks. The main target for these attacks is often the HR and bookkeeping department who collects and stores the most sensitive personal data from employees, such as social security numbers or tax ID.
Fraudsters might be using this to augment future attacks, but it’s also highly likely that they’ll sell this information on the dark web. Beware of identity theft if sensitive employee details are recently leaked this way.
5. False Invoice Scheme
Most often seen when working with foreign suppliers, this type of BEC attack involves attackers posing as a vendor to send a fake invoice with fraudulent account information attached.
The attachment itself often doesn’t contain any malware either, so it won’t set off your anti-malware scans.
The supposed vendor might send this to your finance department, mentioning that they have moved to a new bank account and attaches the fraudulent bank details.
Phases in a BEC Scam
Although there are not a lot of similarities between each type, the general steps attackers go through during a BEC scam are more or less the same.
1. Email Account Targeting and Research
Most experienced hackers invest a significant portion of their resources into identifying their target and then conducting thorough research about the company.
Beyond public info available on the internet, like social media posts, press releases, or the news, hackers will try to find more confidential business information about the company in mind.
This kind of reconnaissance includes familiarizing themselves with some of the following:
- Specific business processes.
- Workflows involved in different employees’ day-to-day responsibilities.
- Who is responsible for making payments.
- Details about payments made to vendors (schedules, banks, etc.).
2. Commencing the Cyber Attack
After gathering enough information, fraudsters decide whom specifically they’re going to attack, and what believable scenario they’re going to craft to ensure the best chance of success.
They decide on the method they’re going to use and prepare accordingly. They’ll start to:
- Craft phishing emails.
- Gain access to the email address they’re going to use.
- Eventually start sending the personalized, specific phishing email to the target.
3. Social Engineering
At this stage, fraudsters start doing what they do best—persuading the target and earning their trust.
By impersonating trusted figures and using various social engineering techniques, hackers are already halfway there. At this point, they’ll try to get the target to do the task they want and prevent them from checking with another person that might recognize this as a scam.
4. Data Breach
This is the end goal for most hackers.
After successfully convincing the target, this is where fraudsters essentially “collect” and where you might realize you’ve fallen victim to an attack.
The reward for hackers might be financial gain, such as a transfer of funds, but it can also be a data breach that leaks private information to the hacker. In this case, they’d be able to use this data for future attacks, distribute them, or again, sell them.
What to do if you’re a victim: Ideally, hackers shouldn’t reach this stage and you’d be able to protect against any data loss. However, if they did, immediately call your bank and see if you can dismiss the transfer of funds. Additionally, file a complaint with the FBI’s Internet Crime Complaint Center (IC3) to make sure that the incident has been recorded so it can be investigated.
Protect Against BEC and Scams with Valimail
As BEC emails rarely contain malware, it’s hard to detect these types of phishing scams if you rely on endpoint security solutions alone.
The key in a BEC scam is that there’s usually a sense of urgency built into the messages and it doesn’t allow you to follow up with the people involved in the process.
For emails with markers like these, you should trust your gut and ask yourself: Does the email request make sense? Did you expect the email?
Additionally, set up multi-factor authentication whenever a transfer of funds is required that involves multiple people. By running the request through multiple people, hopefully, one of them will catch on if they see a sudden request like the one commonly used in BEC scams.
That said, BEC emails will fail regardless of the hacker’s social engineering skills if the email never reaches your inbox in the first place. This is where DMARC can help.
Having DMARC enforcement for your domain helps your employees identify spoofed emails sent on behalf of your domain.If you’re looking for the most cost-effective way to reach DMARC enforcement without overloading your IT team with more requests, Valimail Enforce can get you up and running quickly. Try it for free today.