What does BEC stand for
BEC stands for Business Email Compromise. BEC occurs when an attacker attempts to use email to trick someone in a business into sending them money, assets, or information. For example, they may impersonate the CEO and claim they need to make payroll adjustments or send fake invoices. It often occurs in conjunction with other attacks like email spoofing, which makes it harder for recipients to detect.
Detecting BEC with automated security software is difficult because the attack rarely requires malware. Attackers are often sophisticated enough to have access to IP addresses with a high reputation, meaning they bypass spam filters and reach your inbox.
This article will will give you actionable steps for defending yourself and your organization. Then, we’ll teach you how to recover from a BEC attack after it’s occurred. Finally, we’ll show you some real world examples of BEC attacks.
Summary of attacks related to BEC
Business email compromise is not a specific attack but a category of many different threats. Additionally, BEC is typically merely one part of a larger attack chain. Let’s look at some kinds of BEC attacks and attacks that often occur along with BEC.
| Attack | Description |
|---|---|
| CEO fraud | Attacker impersonates CEO to target employees or customers. |
| Vendor email compromise aka Invoice Fraud | Tricks you into paying an invoice that appears to be from a real business partner. |
| Data theft | Attackers coax their target into giving up sensitive information. |
| Email account compromise (EAC) | The attacker(s) compromises an email account in order to defraud another target who trusts that account. |
How to mitigate BEC
Understanding BEC is only the beginning. What matters is turning this knowledge into actionable plans to protect organizations from this growing menace. Below we’ll review three essential steps for BEC mitigation.
Build anti-phishing awareness
BEC is fundamentally a social engineering attack. Although they may use technical exploits like email spoofing or domain hijacking to enable their attack, BEC ultimately relies on manipulating users over email.
Thus, preventing phishing goes a long way toward protecting against BEC. Basic strategies for preventing phishing attacks include:
- Train employees with realistic phishing simulations.
- Discourage users from opening attachments from suspicious senders.
- Educate users on the “red flags” that indicate a phishing attempt.
You can learn more about the intricacies of phishing defense by reading the other articles in our Guide to Phishing.
Maintain strong personal cybersecurity hygiene
There is a lot you can do to make your personal opsec (operations security) stronger. However, two simple practices can massively improve your safety online.
- Multi-factor authentication (MFA)
- Password manager
Multi-factor authentication will make it harder for attackers to break into your accounts, even if they manage to exfiltrate your credentials. A password manager will make it more convenient to maintain strong, unique passwords for every different site you use. Using unique passwords is critical for online safety because if hackers acquire a password for one account, they shouldn’t gain access to all of your other accounts as well.
Implement robust email security
Spoofing email addresses is a common strategy attackers use as part of a BEC attack. The best way to mitigate this is by setting up DMARC for your domain and enforcing DMARC on incoming mail. DMARC enforcement can help reduce risk and protect your domain against spoofing.
Platform | Success Rate | Success Rate Frame | Estimated FTEs | Maintenance | Marketplace Apps Identified |
|---|---|---|---|---|---|
DIY Manual | 20% | 12+ Months | 2-3 | Never ending | ~100 services |
Outsourced Manual | <40% | 9-12 Months | 1-2 | Never ending | ~100 services |
Valimail Automation | 97.8% | 0-4 Months | 0.2 | Automated | 6,500+ |
Additional email security tactics that will help prevent BEC and other email-based threats are:
- Enabling alerts for emails that come from outside of your organization.
- Advanced protection options from your mail provider (Google Advanced Protection, Office 365 Advanced Threat Protection, etc).
Securing email is a broad topic that you should not take lightly. Learn more about email security with our series of articles on Email Security Best Practices.
How to recover from BEC
If you discover that you have been the victim of a business email compromise, immediately delegate the four steps below to the appropriate teams in your company.
- Alert customers and business partners. The attackers likely will not stop with you. Instead, they may try to use their illicit access to target vendors you work with to launch additional VEC attacks.
- Trace the extent of the damage and breach. To recover successfully, you need to figure out what systems and people were successfully compromised as part of the attack. Otherwise, the attackers might maintain access and do the whole thing again after you think you’ve cleaned up.
- Recover accounts and other assets. Remove accounts that have been compromised and create them anew from scratch. If an administrative account has been breached, you can point the domain to new mail servers entirely or communicate to the email provider.
- Report the event. Your financial institution may be able to freeze funds that are still pending before the transactions are finalized.
Real-world examples of BEC
To understand how threat actors use BEC in practice, let’s look at a few case studies of major BEC attacks. Of course, these are just the tip of the iceberg. Security professionals have witnessed an onslaught of new BEC incidents in the last several years.
Puerto Rico 2019-2020
The government of Puerto Rico was scammed out of 2.6 million USD (according to Tripwire’s blog) when an attacker impersonated a vendor. Attackers tricked government employees into changing the destination of a bank account intended to receive remittance payments. The mishap was only discovered when the real vendor called, saying they never received the payment.
Facebook and Google VEC
In 2013, a cybercriminal set up a fake company called Quanta Computer, the same name as a real provider for both Google and Facebook. The hacker and his associates forged invoices and sent them to employees at Facebook and Google, who would be in charge of such payments.
You can learn more about this attack by reading TrendMicro’s report.
Minimal resource requirement with only a single one time DNS change needed
DMARC Enforcement guarantee and 97.8%+ success rate
100% Automated service discovery and 1-click validation
Invictus Group
In 2021, a criminal enterprise known as Invictus Group used phishing to steal credentials for various business leaders. This hacker gang’s BEC campaign led to 11 million USD of stolen funds from its victims, according to the US Department of Justice (source).
One Treasure Island
In 2021, the FBI reported that scammers had targeted San Francisco charity One Treasure Island, resulting in a theft of $650,000 USD (source). The attackers were able to snag a real invoice used by the organization’s partners. They used this invoice to trick One Treasure Island’s bookkeeper into transferring a loan to a bank account under the attackers’ control.
Summary of key concepts
BEC refers to situations where an attacker impersonates someone within a business to scam them out of money, sensitive information, or other valuable non-monetary assets. This attack has cost businesses millions of dollars and lessened trust in the email ecosystem, which is already plagued with threats.
Some tactics that can mitigate the risk of BEC include:
- Strong anti-phishing training
- Strict personal cybersecurity hygiene
- Email security best practices
Following these principles using the advice featured earlier in this article can drastically reduce the risk of a successful BEC attack against your company.
Of course, even the best defense is not a perfect guarantee against the possibility of a successful attack. The good news is that even if after you suffer an attack, there are steps you can take to remediate the damage done. Tactics for recovering from a BEC attack after the fact include the following.
- Alert customers and business partners
- Trace the extent of the damage done
- Recover accounts and other assets
- Report the event to your financial institution
Educate employees by sharing this guide with them
Implement email filtering tools including inbound DMARC validation
Publish a DMARC record for your domain
Many companies, including tech giants like Facebook and Google, have fallen victim to BEC, resulign in millions of dollars lost to cybercriminals. BEC is not a merely theoretical menace, it’s a realistic attack that should inform your threat model.