What Is a Business Email Compromise?
Table of contents
- Anatomy of BEC
- How BEC works
- Types of BEC
- Who does BEC target?
- Why is protection from BEC so important now?
- The most famous BEC scams
- Google and Facebook
- How to prevent BEC
Business email compromise (or BEC, CEO fraud, or the man-in-the-email attack) is a type of phishing attack where scammers target — you guessed it — your business email. They do this in order to trick you into wiring them money or perform other actions that will negatively impact your organization.
The difference between business email compromise vs. phishing is that the attacker already has the credentials or a believable way to pretend to be another company representative, contractor, vendor, or client. This way, they can persuade legitimate employees to perform actions that would benefit the hacker. The usual outcome of a business email attack is the loss of money or confidential information. According to Verizon's 2021 Data Breach Investigations Report, financially motivated attacks continue to be the most common ones, so business email compromise is also gaining popularity.
A BEC can be carried out in multiple ways, including via malicious software infiltrating your business network. With Clario's real-time anti-malware protection, you can discover all the viruses that might be hiding in your computer. Clario combines the capabilities of an antivirus, VPN, and live 24/7 support from security professionals. Download Clario and start your free trial now.
Anatomy of BEC
An attempt at business email compromise usually consists of a message sent from a hacked or a falsified account of a person in a powerful position within a company. The transfer of money or data then takes place, and the attacker vanishes. Lately, BEC has become such a serious and widespread problem that even the Australian Cyber Police provided recommendations on how to avoid and protect yourself against BEC.
One of the most typical signs of business email compromise, which it shares with most other phishing scams, is the urgency and non-typical nature of the request. Without the time factor, the recipient of the treacherous email is most likely to question what's required of them. However, the attackers usually exploit human psychology, using fear, threats, or pleading to get what they need. The victims are put under such circumstances that the presumed consequences of not complying with the request outweigh the possible consequences of fulfilling it.
How BEC works
To compromise the initial gateway email or to trick the receivers of the BEC email, the attackers will use one of the following methods:
- Spoofing of websites, email, or even instant messenger accounts
- Spear phishing to target select employees or
- Malware running within the organization's infrastructure
At first, the attacker gets access to a business email account belonging to a top manager (hence the "CEO attack" nickname). Next, they reach their goals by manipulating the employees. Phishing plays a big role in this. Including business email compromise cases, the number of phishing cases has increased to 36% of security/data breaches in business compared to 25% in the last year (2020).
Types of BEC
A business email compromise scam where the attacker gains access to an email within the business infrastructure (hence causing email system compromise) is also called email account compromise. Most often, during the BEC, the attacker only impersonates somebody and pretends to be sending the messages through a legitimate gateway — using tactics like domain spoofing or display name spoofing.
The most common types of BEC are:
- Fake CEO (Fake boss) — the money, property, or sensitive info/permissions are stolen by somebody pretending to be a C-level manager of the attacked company.
- Fake invoice scam — money is lost to a fake legitimate-looking invoice.
- Wire transfer fraud — similar to a fake invoice scam, but the wire transfer is requested to a 'drop' account from which it is immediately transferred further until the money is untraceable.
- Fake lawyer — attackers impersonate a legal representative of the company or its business partner to lay their hands on sensitive legal information.
- Fake HR — an attacker that impersonates HR staff gets access to personal employee information.
In BEC, a hacked business email may be used for targeting other employees, suppliers, or clients. This will usually be a manager or a business partner (for example, a supplier) asking for a specific action.
Who does BEC target?
The most likely targets of a BEC are:
- Companies with a large number of employees and complicated business processes.
- Research and development companies whose trade secrets, discoveries, or inventions are of great interest to their competitors.
- Companies that deal with large sums of money regularly so a "lost" invoice for several hundred thousand dollars won't seem out of place.
- Companies whose top management is away on a business trip, so out-of-place after-hours requests made from unknown phone numbers or email accounts won't seem unusual.
The one common denominator here is that the companies have something of interest for hackers, and the fraud won't be easily recognized.
Why is protection from BEC so important now?
Unfortunately, the transition to remote working during the global pandemic helped increase the numbers in business email compromise statistics. Many of us have switched to the working-from-home model, and we're using our personal devices for working purposes (and the other way around, too). This, plus the absence of the physical office's security infrastructure, obviously puts us at much greater risk.
In December 2020, Keeper reported that uncertainty caused by COVID-19, Brexit, and the move to remote-working and BYOD policies led to 70% of UK finance companies experiencing BEC attacks over the preceding year.
The average monetary amount requested by attackers in a fake wire transfer or invoice BEC/AEC attacks increased almost by 100% by the end of 2020 (from $48,000 to $75,000). The losses from such crimes crossed over $1.77 billion in 2019 — and topped this in 2020. And according to the FBI's Internet Crime Report, BEC cases were the top cybersecurity claims in 2020.
The most famous BEC scams
Due to the nature of the scam — as it deals with hacking humans as opposed to systems — business email compromise examples include companies of all sizes and from all industries. In 2020, 80% of firms experienced an increase in cyberattacks.
Google and Facebook
The early days of BEC also saw one of the biggest and the most ambitious attacks — the one against Facebook and Google, which led to $121 million in losses between 2013 and 2015. The person behind these attacks, Evaldas Rimasauskas, got a 5-year prison sentence for this fraud in 2019.
This has been one of the most significant BEC cases ever. An employee of the Scoular company transferred $17.2 million to a Shanghai bank account following the request in a fake email that pretended to come from the company's CEO.
$46.7 million was lost by a company called Ubiquiti due to business fraud. The attackers used BEC and pretended to be an external company that successfully demanded and received money from Ubiquiti's financial department.
How to prevent BEC
These are the steps you should take to prevent business email compromise:
- Realize that your company is just as vulnerable to such an attack as any other.
- Set workplace rules on using two-step verification for suspicious correspondence.
- Set email rules for flagging external emails.
- Require two-factor authentication in your IT infrastructure.
- Normalize confirmation requests and double-checks for unusual orders.
- Set at least a basic business email compromise policy and provide training for all new hires.
Unless the breach has been really deep and ongoing for a long time, a business email compromise attack alone won't bypass such security measures. Remember, the cost of business email compromise is always higher than the time and effort spent providing preventive training.
If BEC prevention seems complicated but you would like to make your infrastructure more secure and your employees or colleagues more cautious, you should consider asking trusted security experts for help.
If you have doubts about the authenticity of any new email and you’d like to avoid BEC, you can consult Clario digital experts 24/7. Don't put your device and information at risk — get help when you need it. Download Clario now and enjoy your free trial.
When it comes to your company's security, it's better to err on the side of caution than regret your carelessness later. Keep your guards up and question anything suspicious that ends up in your email.