Keeping your inbox safe: How to prevent business email compromise
Phishing is by far the most reported type of cybercrime, and of that, more than $2.7 billion in reported losses were attributed to business email compromise (BEC), according to the FBI’s 2022 Internet Crime Report. BEC is near the charts regarding cybercrime effectiveness. But it isn’t the only email-borne threat organizations must worry about.
There are three primary vectors for an email attack, explained John Wilson, Senior Fellow, Threat Research at Fortra (formerly at Agari), on the Cyber Work Podcast:
- Malicious attachment: An email with an attachment that infects a computer if opened, installing unwanted software or stealing credentials. Examples include fake invoices and FBI crime reports that turn out to be malware.
- Link-based attack: A malicious link in a phishing email, such as a fake message from PayPal saying your account is blocked. Typically, the goal is to capture account credentials.
- A response-based attack: BEC falls in this category. A bad actor wants the user to hit reply, leading to a conversation and facilitating the con. Romance scams also use response-based attacks.
Business email compromise vs. phishing types
Wilson explained the different types of phishing. Traditional phishing is just blasting out bulk emails pretending to be from a legitimate source to trick a user into clicking on a malicious attachment or link.
Spearphishing is a more targeted attack directed at a particular individual or group. The attacker forms a profile of the target from social media and other research and creates an email designed to trick the person into responding or clicking.
Whaling, said Wilson, is just an attacker being a little greedier than somebody doing spearphishing. It has a higher level of danger and a higher potential payoff as it tends to target those in the C-suite who can, say, authorize a bank transfer on a moment’s notice.
Two year's worth of NIST-aligned training
Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.
What is business email spoofing?
Business email spoofing is sometimes thought of as BEC, but it is a little different. Business email spoofing is the impersonation of an executive, a vendor or somebody else in a trusted ecosystem without actually using their email account. This attack vector typically involves research to craft an interesting lure.
True BEC attacks require email compromise — someone successfully breaks into an account. This doesn’t necessarily become immediately apparent. It is common for emails to be hacked and their business conversations to be monitored by criminals.
“When the time is right, they either inject themselves into the conversation directly from the compromised account, or they set up a lookalike domain or a Gmail account with the correct user name,” said Wilson. “As they’re armed with good intel and the history of this conversation, they jump in at just the right moment to do the most damage.”
Many attacks go one step further. As the FBI warned in its report, there is "an increasingly prevalent tactic by BEC bad actors of spoofing legitimate business phone numbers to confirm fraudulent banking details with victims."
Business email compromise examples
There has been a definite upward trajectory in the effectiveness of cybercrime over the last few years. With it came the desire to go after bigger targets; hence, BEC is becoming more common.
The attacker needs a compromised account and a feasible scam scenario, often mirroring something expected to happen soon in the real world.
“It’s been increasing year over year as more people realize there’s good money to be had if you’re successful at BEC,” said Wilson.
Phishing simulations & training
Fake financial transaction BEC scam
Say the boss has a deal being negotiated with someone in Hong Kong — perhaps an acquisition or a major order. If someone is spying on the conversation, they may hijack the boss’s email, interject some fake urgency about the deal and ask someone in finance to send millions of dollars immediately to a certain account.
An unwitting insider then helps the assailant complete a transaction they believe to be genuine. By the time anyone verifies the details, the money has vanished.
W-2 request BEC scam
Another example is somebody impersonating a CEO or other executive and sending an email requesting a copy of all employee W-2s.
Someone in HR complied, leading to identity theft committed on several employees, fake filings for tax refunds and the IRS sending their refund checks to other parties.
Real estate BEC scams
Most real estate agents are independent brokers. Many use personal Gmail or Yahoo accounts. They generally lack the protection afforded by corporate email security layers. Once their credentials are compromised, a criminal can read a copy of every message to and from the person.
For example, a young couple is buying their first home. They’re supposed to show up with a down payment check at closing the next morning. The scammer waits till the real estate agent has signed off for the day, and sends an email:
“Hey, make sure you wire your down payment funds to this bank account before you come to closing on Friday.”
You end up with a BEC-victimized couple on the hook for a home loan, but without a home — and their down payment has disappeared.
Business email compromise prevention
Wilson’s advice to organizations wondering how to prevent business email compromise is to take a layered approach to security. That might include:
- Multifactor authentication
- Implementation of good spam filters
- Deploying intelligent systems that can spot potential BEC activity and anomalous patterns
He is also a strong advocate of regular security awareness training for employees.
“Train your employees thoroughly and use phishing simulation emails to find out who is most susceptible to scamming,” said Wilson. “Good internal security policies should also be used to enforce best practices among IT and employees as a whole.”
In this Series
- Keeping your inbox safe: How to prevent business email compromise
- The best 9 phishing simulators for employee security awareness training (2023)
- How to set up a phishing attack with the Social-Engineer Toolkit
- Extortion: How attackers double down on threats
- How Zoom is being exploited for phishing attacks
- 11 phishing email subject lines your employees need to recognize [Updated 2022]
- Consent phishing: How attackers abuse OAuth 2.0 permissions to dupe users
- The state of BEC in 2021 (and beyond)
- Why employees keep falling for phishing (and the science to help them)
- Phishing attacks doubled last year, according to Anti-Phishing Working Group
- The Phish Scale: How NIST is quantifying employee phishing risk
- 6 most sophisticated phishing attacks of 2020
- JavaScript obfuscator: Overview and technical overview
- Malicious Excel attachments bypass security controls using .NET library
- Phishing with Google Forms, Firebase and Docs: Detection and prevention
- Phishing domain lawsuits and the Computer Fraud and Abuse Act
- Phishing: Reputational damages
- Spearphishing meets vishing: New multi-step attack targets corporate VPNs
- Phishing attack timeline: 21 hours from target to detection
- Overview of phishing techniques: Brand impersonation
- BEC attacks: A business risk your insurance company is unlikely to cover
- Cybercrime at scale: Dissecting a dark web phishing kit
- Lockphish phishing attack: Capturing android PINs & iPhone passcodes over https
- 4 types of phishing domains you should blacklist right now
- Email attack trend predictions for 2020
- 4 tips for phishing field employees [Updated 2020]
- How to scan email headers for phishing and malicious content
- Should you phish-test your remote workforce?
- Overview of phishing techniques: Fake invoice/bills
- Phishing simulations in 5 easy steps — Free phishing training kit
- Overview of phishing techniques: Urgent/limited supplies
- Overview of phishing techniques: Compromised account
- Phishing techniques: Contest winner scam
- Phishing techniques: Expired password/account
- Overview of Phishing Techniques: Fake Websites
- Overview of phishing techniques: Order/delivery notifications
- Phishing technique: Message from a friend/relative
- [Updated] Top 9 coronavirus phishing scams making the rounds
- Phishing technique: Message from the boss
- Cyber Work podcast: Email attack trend predictions for 2020
- Phishing techniques: Clone phishing
- Phishing attachment hides malicious macros from security tools
- Phishing techniques: Asking for sensitive information via email
- PayPal credential phishing with an even bigger hook
- Your 2020 tax scam training guide
- Abusing email rules
- 8 phishing simulation tips to promote more secure behavior
- Top types of Business Email Compromise [BEC]
- Be aware of these 20 new phishing techniques
- Phishing in academic environments
- Phishing-as-a-Service
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
