BEC, or Business email compromise, is a type of cybercrime that involves attackers manipulating or compromising business email accounts for fraudulent purposes. BEC scams are designed to deceive individuals or organizations into making financial transitions or sharing sensitive information under the false pretense of a legitimate request. These scams are sometimes referred to as “CEO fraud” or “whaling” when they specifically target high-ranking executives. BECs are a cybercrime with costly consequences. Last year, the FBI reported that BECs caused $1.87 billion in losses. According to IBM’s Cost of Data Breach Report, these BEC attacks come with an average cost of $5 million per breach. Business email compromises are now 23 percent of cyber insurance claims.
Key Aspects of Business Email Compromise:
- Impersonation: Attackers often impersonate trusted individuals or entities, such as company executives, suppliers, or business partners. They may create email accounts or compromise existing ones to make their messages appear legitimate.
- Social Engineering: BEC attacks rely heavily on social engineering tactics. Attackers research their targets and gather information from public sources, social media, or other channels to make their emails more convincing.
- Manipulating Trust: BEC attacks exploit the trust employees have in their superiors or business partners. The convincing nature of these emails often leads victims to comply with the fraudulent requests.
- Financial Losses: BEC scams can result in significant financial losses for organizations. Victims may transfer funds to fraudulent accounts, purchase gift cards, or disclose sensitive data that can be exploited for further attacks.
- Types of Scams:
- CEO Fraud: Scammers pose as company CEOs or top executives, requesting financial transfers or confidential information from employees
- Account Compromise: Bad actors hack into an employee’s email account in order to request payments to vendors
- Attorney Impersonation: Scammers impersonate lawyers or legal representatives to pressure victims into taking specific actions, often involving wire transfers
- Data Theft: Attackers target HR employees in order to acquire sensitive data about company employees to later leverage this information for future attacks
- False Invoice Scheme: Attackers send fake invoices or payment requests, convincing employees to make payments to fraudulent accounts
How Business Email Compromise Attacks Work:
Phase 1: Research
Attackers conduct research to identify potential targets. They often gather information about the target organization, its employees, and executives from publicly available sources, social media, and company websites.
Phase 2: Prepare
Attackers create or gain control over an email account that closely resembles a legitimate one within the target organization. They may use similar domain names or display names to make the email appear genuine.
Phase 3: Execute
Attackers pose as a trusted individual or entity, such as a high-ranking executive, supplier, or business partner. This impersonation is designed to gain the trust of the recipient. A carefully crafted phishing email is sent to the target, often with a sense of urgency or importance. The email may request actions such as wire transfers, confidential information sharing, or changes to payment details. BEC attacks rely on social engineering tactics to manipulate the recipient. The email may contain convincing language, forged signatures, or references to recent events or projects within the organization to make it seem legitimate.
Phase 4: Disperse
Attackers disperse their loot across multiple accounts in order to cover up their tracks
Business Email Compromise Attack Mitigation:
In order to prevent and mitigate the risk of BEC attacks, organizations can implement security measures such as Multi-Factor Authentication (MFA), email authentication protocols like DMARC (Domain-based Message Authentication, Reporting, and Conformance), employee training and awareness programs, and strict verification procedures for financial transactions. Employees should treat every email with suspicion and high risk employees (HR department, Administrators, C-level) should always have MFA enabled.
MFA, or Multi-Factor Authentication, is a security mechanism that protects access to emails, customer files, and other sensitive data by verifying the identity of a user by requiring them to present two or more credentials before granting them access into a secure system or network. Many organizations believe that they have already implemented efficient measures to safeguard against BECs, but these steps may not have been effectively executed. Security consultants discovered that all but 10% of victims either didn’t activate their MFA or didn’t follow best practices when implementing it. It’s critical to not only enable MFA, but to enforce it as well. Organizations also shouldn’t rely solely on Native Email Security; Identify potential gaps in security and find out what your built-in security is missing.
Regularly conduct reviews of accounts, credentials, administrative rights, and shared mailboxes. Every account should be tied to one specific user. Deactivate client-side forwarding rules. This function can enable attackers to reroute all incoming emails to an external address. Employees often establish these rules in order to forward work emails to their personal emails. This poses confidentiality risks and compromise. Retain logs and monitor email activity regularly. Preventing BEC attacks requires a combination of technical measures (e.g., email authentication protocols, Multi-Factor Authentication) and employee training and awareness programs to educate personnel about the risks and red flags associated with these scams. BEC attacks are continually evolving, so ongoing vigilance and cybersecurity measures are essential to mitigate the threat.
Read more about BEC attacks HERE.