Business Email Compromise


What Is Email Compromise in Business?

BEC (alternatively referred to as the man-in-the-email scam) is a type of scam in which financially motivated adversaries dupe unsuspecting executives and employees into making payments or sending sensitive data to fraudulent accounts. Attackers accomplish this by coercing users into sending money or data through a variety of techniques.

  • These recent FBI statistics from the 2020 Internet Crime Report demonstrate the seriousness of BEC:
  • The FBI’s Internet Crime Complaint Center (IC3) received nearly 20,000 complaints in 2020 regarding Business Email Compromise.
  • Losses reported as a result of BEC grew from $1.29 billion in 2018 to $1.86 billion in 2020.
  • In 2020, the IC3 received more than 241,000 complaints about phishing and related attacks, a 110 percent increase over the previous year*.

Attacks on business email systems are notoriously difficult to prevent. Rather than using malware, attackers use social engineering and impersonation to convince people to act on the attacker’s behalf. These attack strategies are frequently missed by traditional threat detection solutions that analyze email headers, links, and metadata.

How is a Typical BEC Attack Conceived and Performed?

BEC attacks can be carried out without the use of sophisticated tools or tradecraft. As a result, they exist in a variety of forms, varying in sophistication according to the attacker’s motivation and ability.

Conduct Research and Identify Potential Targets

Typically, BEC attacks target executives or employees who are authorized to make payments on behalf of their organizations.

Over days or weeks, attackers conduct reconnaissance, mining contact information from websites, social media platforms, and the dark web. They develop a profile of their intended victim organization before zeroing in on their targets. BECs frequently target CEOs, attorneys, and accounts payable personnel.

Lay the Groundwork for the Attack

Unlike mass phishing emails, which are sent in a “spray and pray” fashion, BEC attacks appear credible and legitimate. Scammers prepare for the attack by spoofing email addresses or creating lookalike domains, impersonating trusted vendors, or gaining access to the victim’s manager or colleague’s legitimate email account.

Execute the Attack

The actual BEC attack may occur in a single email or throughout an entire thread, depending on the adversary’s diligence. To gain the victim’s trust, this communication frequently employs persuasion, urgency, and authority. The perpetrator then provides the victim with wire instructions to enable payment to a fraudulent account.

Disburse Payments

Once the attacker receives the funds, they are quickly collected and dispersed across multiple accounts to minimize traceability and retrieval chances. Rapid response is critical for the majority of cyber incidents, and the same is true for BEC attacks. If organizations are slow to recognize a successful BEC attack, it is unlikely that the money will be recovered.

BEC Attacks of Various Types

CEO Fraud – Attackers assume the identity of a company’s CEO or executive. They instruct an employee in the accounting or finance department to transfer funds to an attacker-controlled account on their behalf as the CEO.

Impersonation of a lawyer – Attackers frequently pose as a lawyer or legal representative via phone or email. The targets of these attacks are frequently lower-level employees who lack the knowledge or experience to call into question the legitimacy of an urgent legal request.

Theft of Data – Data theft attacks are frequently directed at human resources personnel in order to obtain personal information about a company’s CEO or other senior executives. The attackers can then use the data in a variety of future attacks, such as CEO fraud.

Compromised Email Account – A compromise of an employee’s email account occurs when the employee’s email account is hacked and used to request payment from vendors. The money is then transferred to bank accounts controlled by the attacker.

Compromise of Vendor Emails – Businesses that work with foreign suppliers are frequently the targets of vendor email compromise. Attackers pose as suppliers, request payment for a fictitious invoice, and then divert the funds to a fraudulent account.

BEC Attack Techniques That Are Frequently Used

Because BEC is heavily reliant on social engineering, it is simple to carry out with minimal tools and tradecraft. The fact that these techniques are accessible and repeatable only serves to increase BEC’s popularity among attackers. Five common types of BEC attack techniques to be aware of include the following:

Taking Advantage of Trusted Relationships

To compel victims to respond quickly to email requests, attackers make a concerted effort to leverage an already established trust relationship. Exploitation can take a variety of forms, including a vendor requesting payment on an invoice, an executive requesting iTunes gift cards, or an employee sharing new payroll direct deposit information.

Replicating Frequently Used Workflows

Each day, an organization and its employees perform an infinite number of business workflows, the majority of which are automated and the majority of which are conducted via email. The more exposure employees have to these workflows, the more quickly they can perform tasks from muscle memory. BEC attacks attempt to mimic these daily workflows in order to compel victims to act before they think. Among the workflows that have been compromised are the following:

  • Requests for a password reset via email
  • Emails purporting to be files and spreadsheets sharing
  • Emails from commonly used apps requesting access from users
  • Attachments of Suspiciosity

Suspicious attachments are frequently associated with malware in email attacks. However, attachments used in BEC attacks omit malware in favor of forged invoices and other social engineering techniques that bolster the legitimacy of the conversation. These attachments are designed to further entangle targets.

Content and Subject Lines That Have Been Socially Engineered

BEC emails frequently include subject lines that convey urgency or familiarity and are intended to elicit immediate action.

Email content is frequently deceptive, with manipulative language that pulls strings in order to make specific, seemingly innocent requests. Rather than phishing links, BEC attackers deliver payloads via language.

Utilization of Free Software

Attackers leverage freely available software to lend legitimacy to BEC scams and assist emails in bypassing security technologies that block known malicious links and domains. For instance, attackers create spoofed email addresses using SendGrid and phishing pages using Google Sites. Google Forms and Docs are also used to extract sensitive data from victims, and attackers can use Box and Google Drive to host zero-day phishing links and bogus invoices.

Tips for Preventing Business Email Compromise

Enable Multi-Factor Authentication on Your Accounts

Enabling multi-factor authentication (MFA) significantly reduces the likelihood of compromised accounts being used to perpetrate BEC attacks. At the very least, businesses should ensure that MFA is enabled for these high-risk employees:

  • Executives at the highest levels
  • Individuals vested with the authority to initiate payments
  • Accounts for administrators
  • Human capital

With the increasing popularity of remote work, it’s also critical to develop your own authentication mechanisms in the absence of existing ones. If you receive a suspicious email from a familiar vendor requesting immediate payment of an invoice, contact the vendor to verify that they sent the email. A few extra seconds of caution can help avoid much later strife.

Don’t Rely on Native Email Security Exclusively

Adoption of cloud email has accelerated as organizations have been able to simplify email delivery and eliminate the need for Secure Email Gateways (SEG). In recent years, G Suite and Office 365 have enhanced their native security offerings, providing enhanced anti-spam and anti-malware protection. However, built-in security from cloud email providers should serve as a foundation for your email security stack, not as its entirety.

Conduct a thorough audit of your existing email security capabilities to determine what you have already purchased. Microsoft recently released a free Office 365 Configuration Analyzer that will recommend the optimal configurations for native O365 email security procedures, allowing organizations to bypass rules and guidelines that provide insufficient protection.

Once you have a firm grasp on what your native email security can and cannot do, devise a strategy for augmenting these fundamental capabilities with security layers designed specifically to thwart BEC attacks.

Always Exercise Skepticism When Reading Emails

BEC attackers will do anything possible to coerce victims into acting before they think, preying on their inability to engage with emails rationally. While reading every email critically is much easier said than done, being aware of the risks associated with email is a good place to start.

  • Train employees to look for signs that they may have been the target of a Business Email Compromise scheme:
  • Be suspicious of deadlines emailed at the last minute that require the transfer of money or sensitive data.
  • Be suspicious of unusual purchase requests, even if they come from trusted employees or entities.
  • Keep an eye out for emails from employees announcing new direct deposit information.
  • Whenever vendors share new banking information for invoice fulfillment, implement additional authentication steps.
  • Inquire about requests to maintain the confidentiality of information and be skeptical of warnings to restrict or bypass normal communication channels.
  • Keep an eye out for wire transfer requests that must be completed quickly or without proper authorization.

Follow your gut instincts: if something does not appear or feel right, do not be afraid to investigate. Emails with obvious misspellings or unusual grammar for the sender should be scrutinized. If a reply message appears to be “off,” it is possible that you have received a spoofed message. When in doubt, send the sender a separate email rather than replying to the original.

BEC attacks are here to stay due to their surface-level nature. Organizations and employees must adapt their mindsets, processes, and security tools in order to stay ahead of the growing threat of Business Email Compromise.