What is Business Email Compromise?
Business email compromise (BEC) is a type of targeted phishing (spear phishing) in which a threat actor either accesses or mimics a genuine business email account to defraud the business. This tactic relies on exploiting the assumed trust that victims have in emails coming from what appear to be genuine sources. Often, these scams target employees working in financial departments or executives who have the power to transfer money from business accounts to bank accounts under the control of the threat actor.
BEC is a notably high-cost type of phishing attack. In fact, the FBI released a Public Service Announcement in 2022 outlining that BEC cost companies an estimated $43 billion between 2016 and 2021.
How Business Email Compromise Happens
BEC scams are multi-layered attacks that begin by conducting reconnaissance to identify appropriate targets. Hackers can scour company websites or LinkedIn profiles to build out a profile of who works for the company and who is likely to have the appropriate privileges to transfer money from business accounts.
After the initial reconnaissance, attackers choose how they’re going to dupe victims into believing that their fraudulent emails are coming from a legitimate source. One common technique is email spoofing, which forges email headers to make it appear that the message comes from a trusted source. Another avenue is credential theft, where threat actors get their hands on credentials for genuine business email accounts and impersonate the owner of those accounts.
Piggybacking off the trust that targets have in these business email accounts, the attacker then crafts a spear-phishing email and creates a sense of urgency about transferring money to a designated account. Sometimes, there’ll be an intermediate step in which the attacker either uses malware or convinces the target to insert them into email threads about company payments. This intermediate step provides more information about typical payment flows and may even help refine their targets.
Five Types of BEC Scams
While BEC scams can be unique enough not to fall into any category, there are five broad types of scams commonly seen across different sectors and different countries:
- Attorney impersonation—These scams often involve dual impersonation. One email claims to be from a high-ranking executive in the organization referencing a time-sensitive or confidential transaction that needs to involve the company’s attorneys. The second email follows shortly thereafter from an attorney requesting a wire transfer to complete the false confidential transaction.
- Fake invoices—In a fake invoice scam, the adversary compromises genuine email accounts belonging to trusted suppliers of a business. The criminal uses the email account to search for email threads about invoices, hijack the thread, and create a sense of urgency about the need to change bank details on an invoice. A target employee falls for the scam and makes a payment based on a fake invoice to an account under the attacker’s control.
- CEO Fraud—Despite the fact that some sources use CEO fraud and BEC synonymously, CEO fraud is just one type of BEC in which someone impersonates the CEO of a company and requests an employee, usually working in finance, to transfer money out of the business. This form of phishing preys on the high default levels of trust and respect that most people have for their employer’s CEO.
- Account Compromise—Threat actors get inside an employee’s email account and use that access to request payments from vendors or request a change of bank details from payroll.
- Data Theft—In some cases, money is not the motivator of a BEC scam. Data theft involves impersonating a business email account and targeting employees in departments like HR where unsuspecting employees might reveal sensitive information that the attacker can use for other nefarious purposes.
High-Profile Incidents Involving BEC
Facebook and Google
Serving as a warning that even tech giants are susceptible to BEC scams, Facebook and Google lost out on $123 million in 2016 to a Lithuanian cybercriminal. Mr. Evaldas Rimasauskas registered a company in Latvia with the same name as the Taiwanese electronics manufacturing company Quanta Computer.
Knowing that both Facebook and Google used Quanta Computer’s hardware in their data centers, Rimasauskas sent fake invoices to targeted employees and deceived them into transferring the money. He siphoned the funds to bank accounts located in various countries, but authorities eventually caught him and extradited him to the United States.
In this incident, scammers targeted a European subsidiary of Toyota to the tune of $37 million. The pretext created was that the hacker impersonated a third-party business partner. The impersonator sent convincing emails to the accounting and finance departments where approval was given to transfer the sum of money.
Government of Puerto Rico
A successful BEC attack against the government of Puerto Rico demonstrated that this threat is not limited to for-profit businesses. Details emerged pointing to the attacker taking over an email account belonging to a government employee working in the pensions department. The scam involved informing recipients in other government departments about a change in banking details for remittance payments, which resulted in over $3 million being transferred to the threat actor’s own bank account.
In one of the earliest high-profile examples of BEC, money transfer company Xoom got conned out of over $30 million in 2015. The attack seemed relatively simplistic with spoofed emails sent to the company’s finance department requesting the payments. This incident led to the resignation of the company’s chief financial officer (CFO).
How to Prevent Business Email Compromise
Make it company policy for finance and accounting departments to verify any requested changes to payment details (such as bank accounts) by contacting suppliers or vendors directly over the phone (use the phone number on record or from the company’s official website).
Educate employees about this type of phishing during cybersecurity training and awareness programs and make sure they learn to scrutinize the emails they receive, especially when they mention money transfers or a sense of urgency is referenced in relation to transactions.
Enable multifactor authentication for email accounts belonging to executives or other high-ranking employees so that a credential compromise does not necessarily mean account takeover.
Use dedicated anti-phishing solutions with BEC Protection to detect BEC attempts, such as mismatches between reply to and sender email addresses.
IRONSCALES Fights BEC For You
The most advanced email security solutions can do much of the work for you in preventing business email compromise. IRONSCALES’ self-learning platform uses machine learning and user behavior analysis to rapidly detect any anomalies that are indicative of BEC scams.
To learn more about IRONSCALES’ award-winning anti-phishing and BEC detection and protection solution, please sign up for a demo today at ironscales.com/get-a-demo.
Other Frequently Asked Questions
How common is business email compromise (BEC)?
Business email compromise is becoming increasingly common and the attacks are evolving into sophisticated and complex scams, making it more difficult for individuals and organizations to detect. According to the FBI's Internet Crime Complaint Center (IC3), BEC attacks have resulted in losses totaling billions of dollars worldwide. In 2020, the IC3 received 22,642 complaints related to BEC attacks, with reported losses totaling over $3.1 billion. This represents a significant increase from previous years.
Is BEC the same as phishing?
BEC is not the same as phishing, but rather is a specific type of phishing attack. BEC differs from other types of phishing attacks in that BEC scams are targeted at specific organizations and are generally aimed defrauding email users and stealing financial or sensitive information.
Does cyber insurance cover BEC?
The specific coverage provided by a cyber insurance policy can vary, but many policies include coverage for losses resulting from business email compromise attacks, including the cost of recovering stolen funds, the cost of investigations and legal fees, and other related expenses.
It is important to carefully review the terms of your cyber insurance policy to understand the specific coverage provided, as well as any exclusions or limitations that may apply.
Download the latest Osterman Research report, "Defending the Enterprise: The Latest Trends and Tactics in BEC Attacks," to learn more.