Business email compromise (BEC) is an example of where the line between cybercrime and cybersecurity blurs. These scams involve a company and sometimes an individual being targeted by a cybercriminal with the objective of scamming money. BEC scammers go about this by using the kinds of things that make a human tick — trust, deception and relationships. The BEC scam does, however, sometimes involve an element of cyberattack — usually to steal login credentials to hijack an email account. This is where the line between cybercrime and cybersecurity is crossed.
The elements of a BEC scam place it in the middle of a human-centered cybercrime/cybersecurity spectrum, which means technology alone cannot prevent this crime. Instead, we have to take on the BEC scam using a two-pronged approach and apply counter measures in the form of both technical and human factors.
The Human Side of Cybersecurity
Cybersecurity and cybercrime are becoming indistinct. As our cybersecurity systems respond to the changing threat landscape by offering more sophisticated approaches, the cybercriminal is also changing tactics. We are now in a war where the human factor plays a central role in cybercrime techniques. This is also being reflected in the type of research carried out into cybersecurity. Cross government-industry organizations like The Hague Security Delta are exploring how human factors are used instead or alongside of technological ones. This approach is changing the face of cybercrime and cybersecurity, and how we respond to cyber threats.
The research currently being carried out in this area differentiates cybercrime and cybersecurity as “cyber-dependent” or “cyber-enabled” crimes. Fraud-related crimes typically fall under the banner of cyber-enabled. However, some crimes, including business email compromise, straddle both definitions. This is because to enact certain types of BEC scams you need use a mix of human psychology and cybersecurity techniques; firstly stealing information (login credentials) and then using stolen accounts to deceive individuals before committing the fraudulent act.
In a crime such as BEC, the fundamental mode of operation is human-centered but cyber-enabled. The BEC fraudster is like an old-time con artist using some of the oldest tricks of the trade, but in a digital setting. These tricks involve:
- Surveillance: The fraudster will gather intelligence on the company, employees and potentially the extended company vendor ecosystem. They may do this over many weeks. The BEC scammer may reach out using emails or phone calls to establish a relationship and build a company profile.
- Trust: The BEC scammer bases their scam on using trusted relationships to commit the crime. This may be done by deceiving employees into thinking they are the CEO or another high-level executive in the company.
- Deception: The underlying motive behind a BEC scam is to deceive through trust. The BEC scammer plays on the trust between an employee and a CEO, or the trust between a company and vendor. They then deceive the company into transferring money to the scammer’s account.
- Conscientiousness: The desire to do a good job is often abused by the BEC scammer. Emails used to enact the money transfer will be tailored to elicit an emotional response. For example, the email may have a sense of urgency to deliver quickly or risk losing a good deal.
This array of human factors is part of the behavioral analysis and modification needed by the fraudster to commit the ultimate outcome of the BEC crime — to steal money.
Business Email Compromise: More Than a Technology Problem
Business Email Compromise Prevention Measures
These measures only work to prevent email account compromise. Some BEC scams instead spoof email accounts rather than compromise them.
- Authentication: Use second-factor authentication to help prevent email account compromise. This only works for some types of BEC fraud.
- Anti-malware: Malware detection software can help prevent some types of BEC fraud, but not all.
- Security awareness training: Having an educated workforce that understands what a BEC scam is and how to spot possible scam emails is the first step to preventing BEC scams. BEC scam emails will often trick the savviest of us, so we have to be prepared. The whole scam depends on building a relationship, and human beings are naturals at this. Unlike poorly written phishing emails, BEC emails will be sent by a scammer who already knows your organization and the people who work in it. They will have achieved this over a period of time, building a profile of your organization and even communicating with members of staff by email or phone.
- Process and procedure: Put in place a system of checks, balances and procedures that circumvent trickery and deception. For example, if an email comes in from the CEO requesting a payment, send an email back to the CEO to confirm. However, DO NOT click reply to the email received, instead create a new email to the CEO using their known email address.
- Register all related domains: This involves thinking about what variations of your domain look similar and would easily pass for a legitimate email address. Some BEC scams rely on deceiving you by using slightly different email domains for the spoof email, e.g., Barb.Jones@finedining.com becomes Barb.Jones@finedinning.com
Putting in place the right mix of human-centered and technological defenses is the only way to prevent BEC scams. As fraudsters become ever-more capable, we are likely to see further use of deceptive techniques that manipulate our behavior and prey on our deep-seated reactions to certain situations; especially those that involve trust and wanting to “just do a good job.”