Business email compromise (BEC) scams level up: How to spot the most sophisticated BEC attacks

October 27, 2020 by Daniel Dimov

Introduction to BEC attacks

The term “business email compromise” (BEC) refers to the use of email fraud with the aim to accomplish malicious purposes. BEC attacks usually rely on the lack of information security awareness of the employees of the targeted organizations. These employees often open malicious attachments and visit malicious web pages without any security precautions. 

BEC attacks are widely spread. Just within the time period between 2016 and 2018, fraudsters succeeded to make more than $5 billion from BEC attacks. As a result of the popularity of the BEC attacks, many organizations started carefully scrutinizing their email correspondence in order to identify and neutralize malicious messages. This, in turn, pushed cyber-attackers to develop new and sophisticated forms of BEC scams that are difficult to detect. For example, the Russian hacker group Cosmic Lynx relies on very well-written and highly customized fraudulent emails which have a high potential for misleading the recipient. 

In this article, we will examine in detail the sophisticated BEC attacks initiated by the Russian group Cosmic Lynx. Afterwards, we will provide guidelines on how to avoid advanced BEC attacks. 

The Cosmic Lynx BEC attacks

More than 200 BEC attacks have been conducted by Cosmic Lynx since 2019. The group sent malicious emails to recipients in 46 countries. Many of the targeted individuals are employees at large organizations, including Global 2000 and Fortune 500 companies.

Cosmic Lynx is one of the first hacker organizations to use highly sophisticated phishing messages that are difficult to be identified as suspicious. 

Before describing the content of those messages, it is worth mentioning that most phishing messages are relatively easy to be regarded as such because they contain numerous typos as well as grammar and spelling mistakes. Furthermore, phishing messages usually contain too simple language that immediately raises concerns. 

However, the messages used by Cosmic Lynx do not contain grammatical and spelling errors and include complex words, such as “synergistic” and “accretive.” This often disperses any suspicions regarding the authenticity of the messages. The members of Cosmic Lynx have likely hired professional proofreaders and/or translators to create the messages. Crane Hassold, an information security researcher, noted in respect to the sophistication of the Cosmic Lynx attacks: “When you look at a Cosmic Lynx BEC attack, it is miles beyond what we generally see.

The Cosmic Lynx attacks include two steps. The first step is to send an email to an employee of a targeted organization, purporting to be from the organization’s CEO. The email states that an Asian company is about to close an acquisition with the targeted company and, therefore, the targeted employee must cooperate with an external legal counsel who will arrange the deal. The targeted employee is requested to keep the email in confidentiality, as mergers and acquisitions are generally sensitive business matters. 

It is important to note that Cosmic Lynx uses email spoofing in order to lure the recipient of the email that it was actually sent by the CEO of the company concerned. Email spoofing refers to the creation of email messages with forged sender email addresses.

Once the targeted employer receives the first fraudulent message, the second step of the attack begins. It relates to the introduction of the “lawyer” to the targeted employee. The fraudsters use the identities of real attorneys to avoid suspicions. They send the “lawyer’s email” from a domain name that is similar to the actual domain name of the law firm at which the real attorney works. The email includes a photo of the attorney, a confidentiality disclaimer and a link to the firm’s website. 

The letter sent by the attorney requests the targeted employee to send thousands or even millions of dollars to the scammers in order to finalize the “acquisition.” The payments need to be sent to mule accounts in Hong Kong. The term “mule account” refers either to an account either created based on false documents or by a legitimate customer who allows the fraudsters to use his or her account for malicious purposes.

Avoiding advanced BEC attacks

To identify and neutralize BEC scams similar to the Cosmic Lynx scam described above, organizations need to increase their information security awareness. This can be done by enrolling their employees in training programs teaching them how to recognize fraudulent messages. For example, such training needs to include instructions on how to find out whether an email was sent by using email spoofing and how to verify the sender of a suspicious message.

To avoid BEC attacks, organizations also need to have reporting policies requiring all their employees to report any suspicious emails to the information security department. The latter will examine them and, if those emails are deemed to be legitimate, will allow the relevant employee to act on them. 

Such reporting policies are of utmost importance, as even a well-trained employee may have doubts regarding certain emails. It is not reasonable to expect that the expertise of regular employees (even those trained in information security) can substitute for the expertise of information security specialists.


BEC attacks are becoming increasingly difficult to detect and, therefore, organizations need to take urgent measures to avoid becoming victims of such attacks. It is no longer enough to rely on spelling and grammar mistakes and other obvious signs to identify a BEC attack. The Cosmic Lynx attacks examined above have shown that hackers can use well-written messages to lure their victims.

The prevention measures against BEC attacks need to include at least raising the information security awareness of the organization’s employees and creating reporting policies providing guidelines on how to report suspicious email to the information security department of the organization concerned.



We Need To Talk About Mule Fraud, Forbes

Russian Cyber Gang ‘Cosmic Lynx’ Focuses on Email Fraud, DARKReading

19 Small Business Trends and Predictions for 2018, Cassel Salpeter & Co.

Posted: October 27, 2020
Daniel Dimov
View Profile

Dr. Daniel Dimov is the founder of Dimov Internet Law Consulting (, a legal consultancy based in Belgium. Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC). He did traineeships with the European Commission (Brussels), European Digital Rights (Brussels), and the Institute for EU and International law “T.M.C. Asser Institute” (The Hague). Daniel received a Ph.D. in law from the Center for Law in the Information Society at Leiden University, the Netherlands. He has a Master's Degree in European law (The Netherlands), a Master's Degree in Bulgarian Law (Bulgaria), and a certificate in Public International Law from The Hague Academy of International law.