What is Business Email Compromise?
Business email compromise (BEC) is a type of targeted phishing (spear phishing) in which a threat actor either accesses or mimics a genuine business email account to defraud the business. This tactic relies on exploiting the assumed trust that victims have in emails coming from what appear to be genuine sources. Often, these scams target employees working in financial departments or executives who have the power to transfer money from business accounts to bank accounts under the control of the threat actor.
BEC is a notably high-cost type of phishing attack. In fact, the FBI released a Public Service Announcement in 2022 outlining that BEC cost companies an estimated $43 billion between 2016 and 2021.
How Business Email Compromise Happens
BEC scams are multi-layered attacks that begin by conducting reconnaissance to identify appropriate targets. Hackers can scour company websites or LinkedIn profiles to build out a profile of who works for the company and who is likely to have the appropriate privileges to transfer money from business accounts.
After the initial reconnaissance, attackers choose how they’re going to dupe victims into believing that their fraudulent emails are coming from a legitimate source. One common technique is email spoofing, which forges email headers to make it appear that the message comes from a trusted source. Another avenue is credential theft, where threat actors get their hands on credentials for genuine business email accounts and impersonate the owner of those accounts.
Piggybacking off the trust that targets have in these business email accounts, the attacker then crafts a spear-phishing email and creates a sense of urgency about transferring money to a designated account. Sometimes, there’ll be an intermediate step in which the attacker either uses malware or convinces the target to insert them into email threads about company payments. This intermediate step provides more information about typical payment flows and may even help refine their targets.
Five Types of BEC Scams
While BEC scams can be unique enough not to fall into any category, there are five broad types of scams commonly seen across different sectors and different countries:
- Attorney impersonation—These scams often involve dual impersonation. One email claims to be from a high-ranking executive in the organization referencing a time-sensitive or confidential transaction that needs to involve the company’s attorneys. The second email follows shortly thereafter from an attorney requesting a wire transfer to complete the false confidential transaction.
- Fake invoices—In a fake invoice scam, the adversary compromises genuine email accounts belonging to trusted suppliers of a business. The criminal uses the email account to search for email threads about invoices, hijack the thread, and create a sense of urgency about the need to change bank details on an invoice. A target employee falls for the scam and makes a payment based on a fake invoice to an account under the attacker’s control.
- CEO Fraud—Despite the fact that some sources use CEO fraud and BEC synonymously, CEO fraud is just one type of BEC in which someone impersonates the CEO of a company and requests an employee, usually working in finance, to transfer money out of the business. This form of phishing preys on the high default levels of trust and respect that most people have for their employer’s CEO.
- Account Compromise—Threat actors get inside an employee’s email account and use that access to request payments from vendors or request a change of bank details from payroll.
- Data Theft—In some cases, money is not the motivator of a BEC scam. Data theft involves impersonating a business email account and targeting employees in departments like HR where unsuspecting employees might reveal sensitive information that the attacker can use for other nefarious purposes.
High-Profile Incidents Involving BEC
Facebook and Google
Serving as a warning that even tech giants are susceptible to BEC scams, Facebook and Google lost out on $123 million in 2016 to a Lithuanian cybercriminal. Mr. Evaldas Rimasauskas registered a company in Latvia with the same name as the Taiwanese electronics manufacturing company Quanta Computer.
Knowing that both Facebook and Google used Quanta Computer’s hardware in their data centers, Rimasauskas sent fake invoices to targeted employees and deceived them into transferring the money. He siphoned the funds to bank accounts located in various countries, but authorities eventually caught him and extradited him to the United States.
In this incident, scammers targeted a European subsidiary of Toyota to the tune of $37 million. The pretext created was that the hacker impersonated a third-party business partner. The impersonator sent convincing emails to the accounting and finance departments where approval was given to transfer the sum of money.
Government of Puerto Rico
A successful BEC attack against the government of Puerto Rico demonstrated that this threat is not limited to for-profit businesses. Details emerged pointing to the attacker taking over an email account belonging to a government employee working in the pensions department. The scam involved informing recipients in other government departments about a change in banking details for remittance payments, which resulted in over $3 million being transferred to the threat actor’s own bank account.
In one of the earliest high-profile examples of BEC, money transfer company Xoom got conned out of over $30 million in 2015. The attack seemed relatively simplistic with spoofed emails sent to the company’s finance department requesting the payments. This incident led to the resignation of the company’s chief financial officer (CFO).
How to Prevent Business Email Compromise
Make it company policy for finance and accounting departments to verify any requested changes to payment details (such as bank accounts) by contacting suppliers or vendors directly over the phone (use the phone number on record or from the company’s official website).
Educate employees about this type of phishing during cybersecurity training and awareness programs and make sure they learn to scrutinize the emails they receive, especially when they mention money transfers or a sense of urgency is referenced in relation to transactions.
Enable multifactor authentication for email accounts belonging to executives or other high-ranking employees so that a credential compromise does not necessarily mean account takeover.
Use dedicated anti-phishing solutions to detect signs of BEC attempts, such as mismatches between reply to and sender email addresses.
IRONSCALES Fights BEC For You
The most advanced email security solutions can do much of the work for you in preventing business email compromise. IRONSCALES’ self-learning platform uses machine learning and user behavior analysis to rapidly detect any anomalies that are indicative of BEC scams.
To learn more about IRONSCALES’ award-winning anti-phishing solution, please sign up for a demo today at ironscales.com/get-a-demo.