Blog Post
Business email compromise (BEC) is a low-cost yet effective cybercrime technique that uses social engineering and deception to manipulate potential victims and gain unauthorized access to sensitive information.
According to the most recent Microsoft Cyber Signals report, there were 35 million business email compromise attempts in 2022. The same year, the FBI's Recovery Asset Team launched the Financial Fraud Kill Chain in response to 2,838 BEC complaints involving domestic transactions. These complaints involved losses exceeding $590 million.
Unfortunately, BEC poses a significant risk to organizations worldwide and can result in substantial financial losses. While large corporations often grab the headlines, small and medium businesses are increasingly in the crosshairs due to their often-limited cybersecurity resources and defenses.
What is business email compromise?
At its core, business email compromise is a social engineering attack that exploits our trust in our email inboxes. In many cases, a cybercriminal will impersonate a high-ranking executive or a trusted vendor, usually via email, to deceive an employee, client, or vendor into transferring money or sensitive data.
BEC scams exploit both technical vulnerabilities in a company's security infrastructure and human susceptibilities. Unlike traditional phishing scams, BEC attacks are better crafted and more targeted.
They use a deep understanding of human psychology, social engineering, and organizational processes to deceive their victims. The attackers thoroughly research their targets to understand the business's hierarchy and identify employees with the authority to move money or access sensitive information.
These scams are a huge threat, given their ability to bypass traditional email security measures and the difficulty of recovering funds once transferred.
There's good news, though. Proactive and comprehensive cybersecurity measures can protect your business against these increasingly prevalent attacks, but we'll dig into that later.
How does business email compromise work?
BEC attacks can be carried out in many different ways, although most include some or all of these key components:
- Reconnaissance: Attackers choose their target and then thoroughly investigate the organization's structure, key personnel, and communication patterns, often using public data and social media platforms.
- Phishing email: A deceptive email designed to trick recipients into sharing sensitive data or conducting a financial transfer is sent to the target, usually framed as an urgent and necessary request.
- Credibility: Attackers mimic insider language, legitimate emails, or the organization's signature block in the deceptive email to increase the probability of their success.
- Compromised email accounts: Through credential phishing or exploiting security vulnerabilities, attackers may gain control of a legitimate business email account.
- Financial transactions: In most cases, the ultimate goal of a BEC scam is a fraudulent financial transaction. The attacker poses as an executive or vendor and instructs an employee to move funds to their controlled account.
- Covering tracks: To evade detection, attackers attempt to hide their activities, such as deleting email threads or setting up automatic deletion rules for future replies. It allows them more time to escape with the stolen funds.
Common business email compromise tactics
Cybercriminals employ various tactics to make their attacks more effective and harder to detect, so it's important to recognize them and understand how they work to develop robust defenses. Here are a few of the most common methods used in BEC scams.
Inbox forwarding rules
Inbox forwarding rules automatically redirect incoming emails, either all or select ones, to an attacker-controlled account. It allows the attacker to maintain access to email content even if the password for the compromised account is changed.
An attacker, for instance, might create a rule to forward all emails with the word "invoice" in the subject line or emails from a specific sender. The attacker may also create rules to hide correspondence between the compromised account and other victims, making it more difficult to detect the breach.
Typo-squatted domains
Typo squatting, also known as URL hijacking, is another frequent tactic. Attackers create a domain that looks similar to that of a legitimate service or company, like g0ggle.com, instead of google.com.
Attackers frequently use these typo-squatted domains in spear phishing attacks paired with credential harvesting interfaces. These fraudulent login pages are designed to collect credentials from unsuspecting users. With financial redirection attacks, attackers may use these domains to continue correspondence when they lose access to a compromised account.
Lateral movement
Lateral movement refers to the techniques attackers use to navigate within an organization's network once they have gained access. In a BEC attack, attackers often use access to a legitimate account to compromise other accounts within the organization or even move on to other clients.
We've observed several instances of lateral movement where attackers would send spear phishing emails to colleagues and clients of a compromised employee to gain access to a different person, department, or entirely new target. If attackers have not already done so during initial exploitation, they might also spread malware to other victims on the network.
These tactics highlight the importance of a comprehensive cybersecurity strategy that can detect and respond to these threats in their initial stages, before causing significant damage.
Types of business email compromise scams
Cybercriminals use a variety of approaches, each with unique traits and intended outcomes. Here are six common types of BEC scams:
- Fake invoice scams: Cybercriminals pose as suppliers, sending fraudulent invoices to companies for services or goods, hoping they'll send payments to the attackers' accounts.
- Wire fraud scams: Scammers impersonate executives or trusted partners, pressuring targets into making swift wire transfers for allegedly urgent or secret matters.
- Data theft: Attackers, targeting human resources or executive departments, seek to compromise email accounts to access sensitive data for further attacks, sale on the dark web, or identity theft.
- Attorney impersonation: Scammers pretend to be company lawyers needing urgent attention on confidential matters, aiming to extract swift payments or sensitive data.
- CEO fraud (whaling): Pretending to be a top executive, scammers trick employees into transferring money or revealing confidential information, exploiting the target's reluctance to question orders.
- Human resources fraud: Attackers impersonate HR staff to extract personal information from employees or modify direct deposit details to reroute paychecks to their accounts.
Why is BEC difficult to detect and defend against?
BEC scams are sophisticated. The threat actors often have an in-depth understanding of their targets, the relationships between them, and their usual communication patterns. As a result, they can design their attacks to fit neatly into these established patterns, making the scams hard to identify unless actively monitored.
Unlike many cyber threats, BEC scams usually don't involve malware and can slip by most antivirus software. Attackers manipulate victims into providing the information or access they need, primarily through social engineering. This approach sidesteps many traditional cybersecurity defenses, which focus more on blocking malicious software.
The common BEC tactic of utilizing legitimate but compromised email accounts makes them even harder to pin down. After all, these emails are coming from a trusted source. Attackers often go the extra mile by mimicking the writing style and tone of the individual they're impersonating to make their scams even more persuasive.
The requests made in the scam emails (such as transferring funds or sending information) won't look out of place. In a hectic work environment, employees might fulfill these requests without giving them a second thought—especially if it seems like it's coming from a boss.
The human factor is arguably the most complicated aspect of dealing with BEC scams. It's a daunting task to keep all employees constantly vigilant, and ensuring everyone has the right knowledge and tools to identify these scams is even tougher.
Tips to prevent business email compromise
Despite the complexity and sophistication of BEC attacks, there are ways to mitigate these threats. Layers of defense work together to secure your business from various angles, for example:
- Employee training and awareness: Regularly train employees to recognize BEC attacks, including identifying phishing emails and verifying unusual requests.
- Strong passwords and multi-factor authentication (MFA): Implement strong password policies and MFA to enhance account security and reduce the risk of account compromise.
- Email filtering and security: Deploy robust email security solutions to detect and block phishing emails and malicious content.
- Set SPF and DMARC Policies: Implement sender policy framework (SPF) and domain-based message authentication, reporting, and conformance (DMARC) policies to prevent email spoofing by verifying sender identities.
- Vendor and payment verification: Develop policies for verifying payment details directly with vendors, especially for large transactions or changes in payment information.
- Incident response plan: While an IR plan isn't necessarily preventing an attack from happening, it is an important part of your security. Create a plan that outlines the steps to mitigate damage upon detecting a BEC attack.
- Regular security assessments: Conduct frequent security assessments, including penetration testing and vulnerability scanning, to identify and address potential risks.
- Secure communication channels: Use encrypted communication channels to transmit sensitive information to ensure confidentiality and integrity.
- Monitoring and suspicious activity detection: Monitor email accounts for unusual activities, such as unfamiliar email forwarding rules or sudden changes in the email content.
- Continuous education and updates: Stay informed about emerging threats and adapt security measures accordingly through continuous education and regular updates for staff members.
Defending against BEC with Covalence
Business email compromise attacks are a growing threat in today's digital landscape. They're stealthy and often slip through the cracks of traditional security measures.
Tackling BEC calls for a comprehensive, agile, and proactive approach to cybersecurity. For example, Field Effect's cybersecurity solution, Covalence, arms your business with the tools to outsmart BEC attackers at every turn:
- It detects and alerts you if suspicious inbox rules have been created on accounts, helping thwart attackers' attempts to siphon information covertly.
- You receive notifications when someone registers potential typo-squatting domains for the domains you own.
- It monitors for authentication events to your user accounts from outside your company's service area or from low-reputation IPs.
Remember, the cost and effort for attackers to execute a BEC attack are minor compared to the damage they can cause. The stakes are high, but Covalence proactively protects and empowers your business to face and mitigate the threat. Contact us today to fortify your business against business email compromise.