In terms of cybersecurity news, ransomware attacks tend to occupy the majority of the headlines. With their threateningly-named gangs and habit of openly bragging to and about their victims, it’s little wonder that ransomware purveyors hog the spotlight. Business email compromise (BEC) attacks, while far less flashy than ransomware attacks, are more common and can be just as financially ruinous. In 2020 alone, 20,000 BEC attacks were reported to the FBI, costing organizations a collective $1.8 billion in money paid to scammers.
What is a BEC attack?
BEC attacks are, to put it simply, a unique type of phishing attack.
A phishing attack is when a scammer sends fraudulent emails to victims that encourage them to click a link. The link leads to malicious code that will compromise their system or to a page that asks the victim to submit sensitive information such as passwords and banking data. Common tactics include the prospect of financial gain, gift cards or falsely telling a victim that their account has been compromised and their password is required to regain access.
The spelling of the term “phishing” dates back to slang used by the hackers of the early 90s who referred to themselves as “phreaks.” The word itself references the act of baiting a hook and waiting to reel in a victim.
What makes a BEC attack different?
Unlike typical phishing attacks that spray malware links or attachments across a number of potential victims, a BEC attack will instead focus on a specific individual, employee or account. They rarely include malware and almost entirely depend on social engineering to trick the target into passing sensitive business information to the threat actor directly, with no theft or hacking needed.
BEC attackers are able to fool recipients by impersonating another employee, typically a senior executive, or a trusted account such as one belonging to a third party vendor. A well constructed BEC scam will use an email with a visual design that is indistinguishable from the targeted organization’s messaging, and may even engage in back and forth conversation in order to build trust prior to asking for sensitive data.
One common strategy is to email an employee at the end of the day while posing as their boss or other executive. The fraudster will claim to be traveling or otherwise unable to complete a transaction without assistance from the victim either in the form of turning over critical information or acting on the scammer’s behalf.
BEC attack messages may also originate from an actual email account that has been compromised, making them impossible to identify with a quick glance during a busy day.
How to identify a BEC attack
Unfortunately, a savvy BEC attack can be very difficult to distinguish from a legitimate email at face value. Criminals very carefully recreate the design of official correspondences and may even go so far as to mimic the language and grammar style of those they intend to impersonate.
BEC attacks often employ the following tactics:
- Impersonating a supply chain vendor in a direct message. Third-party vendors usually have proper channels to go through in order to make changes to their accounts or make and receive payments. A direct message from an alleged vendor asking for financial data or the means by which to make changes to their account is suspicious.
- Implying time sensitivity or asking for a personal favor. A message that purports to originate from a boss, colleague or executive that insists a request or favor must be performed as quickly as possible should be investigated. These types of requests prey on the boss/employee dynamic and are designed to appeal to a worker’s desire to go out of their way to assist a higher up.
- Creating a message that appears to be from a personal device or account. Requests that look as though they have been sent from an executive’s personal account or device are another common means by which scammers can fool their victims. Emails of this nature require little to no adherence to a company’s internal email design, and will often end with a familiar-looking “sent from my iPad” closing. These types of “urgent” messages attempt to explain themselves by saying that the sender is traveling, on vacation or out of the office and therefore without access to what they need to perform an important task.
Noteworthy business email compromise attacks
- US toy company Mattel fell victim to a BEC attack in which a financial executive was tricked into transferring $3 million to a hacker’s Chinese bank account.
- Ubiquiti Networks, a California-based networking technology company, had $46.7 million stolen via a sophisticated BEC attack that saw both executives and lower level employees impersonated.
- Xoom Corporation, an international money transfer company based in California, saw its finance department send $30.8 million to fraudulent overseas accounts after a BEC attack.
- Facebook and Google, information tech giants that one would assume would be well insulated against BEC attacks, lost a collective $121 million between 2013 and 2015 to a scammer after paying fake invoices.
How to prevent a business email compromise attack
Cybercrime will continue to be a major issue as 2022 unfolds, with BEC attacks likely to advance in complexity. Unless a BEC email is sloppily created with misspellings or formatting errors that give away the scam, the only surefire way to avoid falling for an attack is through diligence and the following cybersecurity protocols:
General cybersecurity training, specifically with regard to phishing, can help employees notice red flags in their inbox, stopping scams before they start.
Two-factor identification (2FA) should be in place, helping to prevent hackers from compromising email accounts that can then be weaponized and used to carry out BEC attacks.
Accounting controls should be bolstered in order to help determine the legitimacy of payments and payment requests.
Advanced BEC Defenses, offered by cybersecurity firms, use AI-powered technology to block BEC attempts by carefully analyzing the attributes of any incoming messages and quarantining suspicious emails.
Protect your trusted domains using a third party security organization that can screen all outgoing messages. This can prevent attackers from using your domain names against your customers, clients or vendors.
Sources
- BEC Attacks: What They Are, How to Spot Them, and What to Do by Armen Najarian, 10 Nov 2020, Agari
- Three Warning Signs of a Business Email Compromise (BEC) Attack by Tanner Luxnor, 8 June 2020, Proofpoint
- 5 real-world examples of business email compromise by Salaayaa, 12 Apr 2018, INFOSEC
- 14 Real Examples of Business Email Compromise (BEC) Attacks 27 Jan 2022, Tessian
- How to Spot Phishing Emails | 7 Helpful Tips for Employees Cofense
- What Is Phishing? – Definition, Types of Attacks & More Proofpoint
- How To Deal With Business Email Compromise
- Five Steps to Combat BEC