What is Business Email Compromise (BEC)?
Social media platforms may be a popular communication mode, but email remains the preferred business communication tool. The Radicati Group expects this love affair with email to grow to 319.6 billion emails sent and received — per day — by 2021. It’s no wonder the beady eyes of the cybercriminal are focused on ways to compromise one of the most beloved of communication tools.
Business email compromise (BEC) can be thought of as spearphishing on steroids. Sometimes called whaling or man-in-the-email, it is a way of tricking employees into handing over large amounts of money. The FBI found between October 2013 and December 2016, there was over $5.3 billion lost to BEC scams worldwide. BEC uses the most successful tricks of the phishing trade, misuse of trust and deception.
Phishing simulations & training
How Does Business Email Compromise Work?
As with many of the most successful cyber attacks, BEC is a multi-component stealth exercise, mixing technology and the human factor.
BEC can be broken down into four stages:
- The profiling stage: The trust BEC fraud relies on is based on surveillance of a target organization. The cybercriminal needs to understand how the target ticks and this intelligence is needed to jump the trust-barrier hurdle. This may involve spearphishing to gain access to a system to install malware or harvest credentials. They then use this to exfiltrate information and gain unauthorized access to executive calendars and schedules. This allows the cybercriminal to build a knowledgeable profile of the victim — often a high-level executive in the company.
- The playing-with-you stage: The information gathered when profiling the company gives the cybercriminal an understanding of the hierarchy of the organization. They choose one or more targets — usually someone in the financial structure of the organization who can make payment decisions. The cybercriminal may groom the target individual using phone calls or emails, getting to know them over the course of several weeks. This builds trust between the cybercriminal and the target individual.
- The going-in-for-the-kill stage: Once the trust barrier has been crossed, the cybercriminal will send the “killer email” requesting a transfer of funds. At this point, the target individual has built a relationship, trusts this person and may not see what is coming next.
- The cash-in-and-run stage: The previous stage ends in a wire transfer to an account controlled by the cybercriminal(s).
What Are the Types of Business Email Compromise?
Example BEC scams types tend to be variations on a theme. Three common types include:
CEO Impersonation
This type of BEC crime focuses on close surveillance, mimicry, deception and trust. The cybercriminal either hacks into or spoofs the email of the organization CEO. Spoofed emails are a favorite as they are easy to disguise. For example, tina.mathews@mycompany.com could be tina.matthews@myycompany.com. The cybercriminal then sends an urgent email to their financial department head. The email will put the officer under pressure to send funds immediately to a given bank account or lose an important deal.
Bad Invoice in My Favor
There are two flavors of this ruse:
Email compromise: Another favorite of the BEC scammer is to take a legitimate invoice and adjust it — a kind of Monopoly, “bank error in my favor” attack. In this scenario, the cybercriminal again uses deception and trust as the basis of the attack. The cybercriminal surveils the financial department of an organization before phishing a specific company employee — usually in accounts payable. The spearphishing email allows them to harvest credentials and compromise the email account. They then watch emails, intercepting any that contain an invoice. They amend the payment instructions on a chosen invoice and allow it to be processed — straight into their bank account.
Email spoof: Another way to get the illegitimate invoice in front of accounts payable is to use the same spoofing method used in CEO impersonation. This time, an invoice is seemingly sent out from a known vendor (legitimate vendors to impersonate are identified during the surveillance stage). The email address carrying the invoice is so similar to the legitimate vendor that it goes unnoticed as being a spoof. Payment made — job done.
CEO Death by Attorney
This scam has elements of CEO impersonation fraud. A cybercriminal identifies the CEO of an organization (easy enough). They then send out a compromised or spoofed email from that CEO with details of a “secret company acquisition” or something similar to the finance department. The email states an attorney will follow up with instructions on how to process the deal. The person who has received the email is essentially co-opted into this “secret and important deal” — building a trusted and special relationship. Finally, the financial representative receives an email or phone call from the “attorney” with the wire transfer details. They then use these details to transfer the money and seal the deal.
The above scenarios are variants on a theme and you should expect more of the same, but in different flavors.
Business Email Compromise: Real-World Case Studies
Here are three real-world examples of BEC scams:
- Walter Stephan, the CEO of Austrian company FACC Operations GmbH, was sacked after the organization lost $47 million due to a BEC scam.
- 17 different Dallas firms were scammed out of $600,000 by a sophisticated CEO impersonation BEC scam.
- Belgian bank Crelan lost 70 million euros in a CEO impersonation scam.
How to Spot a Compromised Email in Your Company
According to Proofpoint, 50% of malicious compromised emails target the CFO and 25% target HR inboxes. To prevent these types of attacks, an organization needs to be prepared and security aware. These tips will give you a good starting point to protect yourself and your company from even the most sophisticated of business email compromise scams.
- Train your staff on the problem: Knowledge is power and just knowing that this problem exists will put it on your company and employees’ radar. Train staff to recognize and look out for the types of methods used by cybercriminals in BEC scams. For example, double-check email addresses are correct, invoices make sense, and that phone calls are with known persons or have a special keyword to identify callers. Vigilance is an important part of the solution.
- Checks and balances: Make sure there is a company policy of checks and balances when dealing with financial transactions — especially for larger amounts. Perhaps, if the amount is over a set limit, then the CEO or CFO has to verbally confirm the request is legitimate.
- Domain control: Register all domains that are similar to your main domain — think like a cybercriminal.
- Malware watch. Some BEC scams rely on malware infection. Follow rules to reduce the likelihood of malware infection on computers.
In future articles, we will look in more detail at some of the ways that BEC impacts our business and how to prevent business email compromise with a combination of technology and security awareness training.
Phishing simulations & training
In this Series
- What is Business Email Compromise (BEC)?
- Keeping your inbox safe: How to prevent business email compromise
- The best 9 phishing simulators for employee security awareness training (2023)
- How to set up a phishing attack with the Social-Engineer Toolkit
- Extortion: How attackers double down on threats
- How Zoom is being exploited for phishing attacks
- 11 phishing email subject lines your employees need to recognize [Updated 2022]
- Consent phishing: How attackers abuse OAuth 2.0 permissions to dupe users
- The state of BEC in 2021 (and beyond)
- Why employees keep falling for phishing (and the science to help them)
- Phishing attacks doubled last year, according to Anti-Phishing Working Group
- The Phish Scale: How NIST is quantifying employee phishing risk
- 6 most sophisticated phishing attacks of 2020
- JavaScript obfuscator: Overview and technical overview
- Malicious Excel attachments bypass security controls using .NET library
- Phishing with Google Forms, Firebase and Docs: Detection and prevention
- Phishing domain lawsuits and the Computer Fraud and Abuse Act
- Phishing: Reputational damages
- Spearphishing meets vishing: New multi-step attack targets corporate VPNs
- Phishing attack timeline: 21 hours from target to detection
- Overview of phishing techniques: Brand impersonation
- BEC attacks: A business risk your insurance company is unlikely to cover
- Cybercrime at scale: Dissecting a dark web phishing kit
- Lockphish phishing attack: Capturing android PINs & iPhone passcodes over https
- 4 types of phishing domains you should blacklist right now
- Email attack trend predictions for 2020
- 4 tips for phishing field employees [Updated 2020]
- How to scan email headers for phishing and malicious content
- Should you phish-test your remote workforce?
- Overview of phishing techniques: Fake invoice/bills
- Phishing simulations in 5 easy steps — Free phishing training kit
- Overview of phishing techniques: Urgent/limited supplies
- Overview of phishing techniques: Compromised account
- Phishing techniques: Contest winner scam
- Phishing techniques: Expired password/account
- Overview of Phishing Techniques: Fake Websites
- Overview of phishing techniques: Order/delivery notifications
- Phishing technique: Message from a friend/relative
- [Updated] Top 9 coronavirus phishing scams making the rounds
- Phishing technique: Message from the boss
- Cyber Work podcast: Email attack trend predictions for 2020
- Phishing techniques: Clone phishing
- Phishing attachment hides malicious macros from security tools
- Phishing techniques: Asking for sensitive information via email
- PayPal credential phishing with an even bigger hook
- Your 2020 tax scam training guide
- Abusing email rules
- 8 phishing simulation tips to promote more secure behavior
- Top types of Business Email Compromise [BEC]
- Be aware of these 20 new phishing techniques
- Phishing in academic environments
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
