Organizations around the world regularly fall victim to business email compromise (BEC) attacks. These attacks are financially motivated, cleverly crafted, and difficult to remediate. This blog post talks about the dangers of business email compromise (BEC) attacks, how they work, and how you can minimize the threat.

This blog post covers the following topics:

1. What is Business Email Compromise (BEC)?

2. Is BEC the same as phishing?

3. How do BEC attacks work?

4. Examples of BEC attacks

5. How to protect your business against BEC attacks?

Business Email Compromise is a type of cybercrime that targets organizations with financially motivated attacks using email fraud. BEC attacks are designed to target specific organizations using publicly available information and social engineering techniques. The goal of a BEC attack is usually to trick the victim into making money transfers or to gather data for other criminal activities. Data leaks and privacy breaches are often the results of such business email compromise attacks.

BEC is a type of phishing scam, where cybercriminals impersonate or compromise the email accounts of executives or senior management of an organization. Unlike the usual “spray and pray” phishing attacks such as spam, BEC attacks involve a great deal of research and personalization. Consequently, BEC attacks rely heavily on spear-phishing techniques. They target employees who have some kind of financial or fiduciary duties, such as purchasing, accounting, payroll, etc.

Just like other phishing emails, BEC attacks also try to create a sense of urgency. In addition, the emails are usually spoofed or made to appear to come from senior management or from the IT or Finance department. Such techniques increase the likelihood of the users falling for the scam and make BEC attacks effective.

The method of operation of BEC attacks is as follows: The attacker, i.e. the person sending the emails, poses as a colleague, boss, or vendor. In the email, the sender asks the recipient to make a wire transfer, fulfill a payment obligation, change banking details for future payments, etc. BEC scams use a variety of techniques such as domain spoofing, email account spoofing, and impersonation.

Standard automated security systems cannot detect or block BEC attacks because they don’t use malware or malicious URLs. BEC attackers rely heavily on a tactic called CEO Fraud, which includes impersonation and social engineering techniques, posing as CEOs, executives, and known vendors, i.e. as someone the recipient should trust. Due to the nature of BEC attacks, they are difficult and time-consuming to remediate.

The following are some of the most common business email compromise attacks:

• Invoice Scams

Invoice scams are very common these days. If your company has an online presence, it is very likely that you have received invoice scams in your inbox. They typically work by sending fake invoices to your email with the goal to either receive money or steal credentials using fake login screens. If successful, these attacks can cause financial damage and can gain access to your network in more severe cases.

Logos of Office 365, Dropbox, Adobe, etc. are commonly used in these scams. The fake invoices, attachments, or payment links are often sent from spoofed email addresses of high-ranking executives, CEOs, fake and even real vendors. To increase the chances of success, fake invoices are sometimes supplemented with fake contracts and letters.

• Spear Phishing

Spear phishing is very common in BEC attacks. It is a targeted form of phishing where the attackers research their target organization and send specially crafted emails to specific individuals. These emails are personalized and are disguised to appear as coming from a genuine source.

Because of the highly targeted nature, cleverly crafted content, and familiar tone of voice, spear phishing can be difficult for the average person to detect. This makes the threat level of such attacks very high.

• Spoofed Website

Website spoofing is the act of creating a copy of a genuine website in order to trick visitors into revealing sensitive information such as credit card details, Social Security numbers, or login credentials. Website spoofing is a common technique used in BEC attacks as it is relatively simple to execute.

Spoofing is done by registering a domain name that's very close to that of the targeted brand and then building a site that looks identical to the original website. The attackers then lure the customers of that brand to the website using phishing emails and try to trick them into entering their credit card details or other sensitive information into their web forms or fake payment gateways.

While most spoofed websites are used to gain access to financial or personal information, they can also be used to launch larger cyberattacks. The spoofed website can be used to spread malware through infected links or downloads, bypass network access controls, or redistribute traffic to launch a denial-of-service (DoS) attack.

1. Provide Cybersecurity Training To Employees

Your best defense against BEC attacks is informed, vigilant employees. Therefore, you must train your employees to identify phishing and BEC email. Here are some telltale signs of BEC emails:

• BEC attackers posing as high-level executives usually ask for unusual information or wire transfers. If it is not normal for you to receive emails from high-level executives, out-of-the-blue emails from them should immediately raise a red flag. 

• The senders of such emails ask the recipient to keep the communication confidential and to communicate only via email. If you receive unusual requests, it is best to verify through a phone call or in person.

• Every organization has standard procedures for accounting, payments, and sharing of information. Receiving such requests via email, bypassing standard processes should be an immediate red flag.

• Watch out for typos, grammatical errors, and unusual date formats or characters. These usually indicate phishing emails.

• If email addresses in the “From” and “Reply-To” fields are different, they often indicate spoofed accounts or domains.
  
  

2. Enable Two-factor Authentication On Your Email Account

Two-factor authentication is a security system that requires you to provide another authentication factor in addition to the username-password combination. This makes it extremely difficult for hackers to access your account even if they somehow manage to steal your login credentials.

3. Flag Differences In “From” And “Reply-To” Email Addresses

You can create rules to either filter or flag emails where the “from” and “reply-to” emails are different. You can also flag external emails that appear to come from your domain. It is also possible to set up your DomainKeys Identified Mail (DKIM) to reject emails that don't match the domain of the originating mail server.

4. Add A Banner To Emails Coming From Outside Your Organization

It is now a common practice to add a banner either on the top or bottom of an email warning users of the email’s origin. This is a standard configuration and its implementation is highly advisable. While this cannot prevent users from clicking on links or interacting with the email, it serves as a reminder to be wary of emails originating from outside the organization.

5. Empower Employees To Always Follow Procedure

Often when you receive emails from an authority figure, it is normal to feel the need to fulfill the request as quickly as possible. We focus a lot on cooperation and helping each other even when the requests don’t follow standard procedures. But this trait can make us vulnerable to BEC attacks.

Therefore, it is a good practice to empower employees to seek clarification and ask questions when they receive unusual requests even if it comes from the CEO. Sometimes, it is good to just pick up the phone and call the requester to verify that it is genuine.

Conclusion

BEC uses a variety of techniques including social engineering to win the trust and carry out fraud. In addition, since they don’t contain any malicious attachments or links, they readily get through spam filters. Therefore, to minimize the threat of BEC attacks, you need to adopt a range of different security methods. But the most important thing is to provide regular cybersecurity awareness training to your employees so that they understand their role in preventing cyberattacks and are always vigilant.

Can you identify BEC attacks? Have you received Cybersecurity Awareness Training recently? If you would like to test your knowledge, try out the phishing test on our free IT resources page. And if you are already our customer, feel free to reach out to schedule a phishing test or cybersecurity awareness training.

If you liked the blog, please share it with your friends