Skip Navigation

October 14, 2020 |

How to spot business email compromise

Loading table of contents...

Imagine this: it’s six in the evening, and you’re wrapping up a few things for work and getting ready to shut down for the day when you get an email in your inbox. It’s an urgent message from the CEO asking you to initiate a wire transfer to finalize a deal with a partner, and it’s needed immediately.

There’s just one problem: it’s not actually from your CEO. It’s an attacker attempting to launch a business email compromise attack.

What is business email compromise?

Business email compromise (BEC) is a low-cost cyber crime tactic that is becoming more common and more effective. These attacks pose a serious risk to companies that manage financial transfers and payments—for example, costs to Canadian companies have been estimated at approximately $33 million since 2016 alone.

The good news is that understanding how BEC works can help you spot suspicious activity early, such as phishing attempts, and avoid a costly attack.

How business email compromise works

At its core, BEC is a social engineering scam. Cyber attackers pose as company executives, or a company’s third-party vendors and suppliers, to initiate financial transfers to an account attackers control.

But to pose as executives or vendors, they need a disguise. Attackers need access to the right account, or at least credentials that look close enough to the real thing, to make the transfer look like the real deal.

These credentials are typically gathered through a variety of other low-profile attacks and tactics that might not immediately raise a red flag with a user. For example, spear phishing is a common technique used by attackers to target specific users (in the case of BEC, C-suite executives) and uses emails designed to lure them into clicking a malicious link or downloading a malicious attachment.

This typically brings users to a hosted interface designed to look like a genuine authentication interface (such as Microsoft’s, as an example) that then encourages users to enter their credentials by way of a password reset prompt or similar phishing hook. No malware is required, making these attacks incredibly low-cost.

Here are a few other techniques an attacker might use to accelerate their attack or access additional accounts:

Inbox forwarding rules

Email inbox rules let attackers forward all or select emails to an account they control. This can persist even after the password of the compromised account has been changed. Rules might also be created to hide correspondence between the account and other victims.

Lateral movement

When an attacker is able to “move” between workstations or accounts on a corporate network, they’re engaging in lateral movement.

For example, a successful phishing attack on an employee in one department may provide attackers with the access they need to target other users in other departments on the network. They may also move on to target further clients, or to target users up or down the supply chain.

Typo-squatted domains

To further their phishing attempts, some attackers use a URL or domain that’s almost, but not quite, identical to a legitimate user or company (such as g0ogle.com) to get users to click through to fraudulent login pages that can then be used to collect credentials.

These domains may continue to be used even after access to a fraudulent domain has been lost.


Arm your employees with the right tools

Get a free copy of The Employee Cyber Security Handbook today.

Download now


How to stay ahead of BEC attacks

Regardless of how they seize accounts or who they impersonate, attackers will search through compromised accounts to gather additional information to make a BEC attack look as authentic as possible.

That authenticity lends itself to some of the most common attack types:

  • Invoice payment requests: Attackers may use a legitimate or falsified invoice from one of your vendors or suppliers to request a payment to an account they control.
  • CEO fraud: As we’ve discussed above, attackers may pose as your CEO (or another high-ranking executive) in order to request a payment to an account they control.
  • Legal impersonation: Along the same lines as CEO fraud, in legal impersonation (sometimes called attorney fraud), attackers pose as a lawyer requesting sensitive information or payment as part of their duties or responsibilities.

As discussed, these are all variations of social engineering scams. While these attacks vary in technique and target, there are a few things you can watch for to help identify a BEC attack early and protect your business.

Potential indicators of a BEC attack

There are several "red flags" of a BEC attack, including:
  • Spoofed email addresses that use a variation on an executive’s name (Steve instead of Steven) or a domain could indicate an attempted BEC attack
  • Generic terms or an unfamiliar tone of voice (for example, a formal “Dear Sir” from a coworker or a dramatic increase in typos) from a contact you correspond with regularly may be a sign an account has been seized by an attacker.
  • Unfamiliar file formats or extensions being passed off as authentic documents, such as a file being named “Presentation.pptx” despite being a different format altogether.
  • Urgent requests to transfer funds or initiate a payment, potentially circumventing company policies and procedures.

Defending against business email compromise

Taking the time to train employees and staff at all levels of your company can help you spot potential BEC attacks early. Organizations should also consider additional validation methods for invoicing that involve adding verification layers and controls that extend beyond email.

Ensuring your workforce is fully briefed on procedures around invoicing, payments, and financial policies, and what to do if they suspect they’re being phished, can help reduce the likelihood of a successful attack.

But attacks aren’t waiting on you to get into the office.

Monitoring all aspects of your IT network, no matter where work takes place—including cloud services and other remote work assets—can help you identify vulnerabilities that an attacker may exploit or provide greater insight into the source of a suspicious email. With continuous monitoring and automated alerting, you’ll be able to identify threats to your network early and close gaps in your security that could lead to an attack.

Arm your employees with the cyber security knowledge they need. Get a free copy of The Employee Cyber Security Handbook.