Business Email Compromise attacks target organizations of all sizes and are becoming increasingly prevalent, complex, and costly. They exploit the fact that many organizations rely on emails to conduct business. In the BEC scam, a particular attack is targeted at an individual or a small group, and the attackers rely on social engineering techniques to trick unsuspecting executives and employees.
Identifying, preventing, and responding to BEC attacks should be a priority for all organizations, but doing so effectively requires email security best practices.
What Is Business Email Compromise (BEC)?
Business Email Compromise, or email account compromise, is a phishing attack where an attacker impersonates senior executives to trick employees, vendors, or customers into sending money to an alternate bank account or disclosing sensitive information. The criminals create an account with an email address almost identical to executives’ corporate or publicly available email accounts. They then send convincing emails that may request unusual payments or contain links to scam websites.
Some emails might also contain viruses disguised as harmless attachments, which activate when opened. BEC attacks are usually crafted to appeal to specific individuals and can be harder to detect. It threatens all organizations of all sizes across all sectors, including government and non-profit organizations.
Business Email Compromise is among the most damaging and expensive forms of phishing attacks, costing businesses billions of dollars each year.
Types of Business Email Compromise
According to the FBI, there are five major types of BEC scams, including:
1. False Invoice Scheme
This attack often targets companies with foreign suppliers. The attackers pretend to be legitimate suppliers requesting fund transfers for payment for services offered to the company. Often, the attacker uses a realistic template but changes the bank account information to an account they control, the fraudulent bank account. The account number may be only one or two digits off. Or the fraudsters might ask you to pay a different bank, claiming your bank is being audited.
2. CEO Fraud
The phishers either hack or spoof into a CEO’s email account and send emails to employees as the company CEO, instructing them to send sensitive information, make a purchase, or transfer money to fraudulent accounts via wire transfer. The scammers mostly email individuals within the finance department
3. Account Compromise
In an Account Compromise BEC attack, the attacker uses malware or phishing to access an employee’s email account. With this access, the scammer can request invoice payments from the customers while changing the payment details to fraudulent bank accounts.
4. Attorney Impersonation
In this type of attack, an attacker gains access to an email account of a lawyer or a legal representative responsible for sensitive matters and impersonates them. Low-level employees are normally targeted because they don’t have the knowledge to question the validity of the request, and they’re often done through phone or email at the end of the business day.
This approach makes the request seem time-sensitive and confidential, preventing independent verification.
5. Data Theft
BEC attacks extend beyond stealing money from a company. Data theft attack targets HR and finance personnel and aims to steal sensitive information about a company’s employees. This information may be sold on the Dark Web or used in the planning and execution of future attacks.
How BEC Works
In a BEC scam, the scammer poses as someone the recipient should trust, usually a boss, colleague, or vendor. The sender asks the recipient to make wire transfers, change banking details, or divert payroll.
These attacks are difficult to detect because they don’t use malicious URLs that can be analyzed with cyber defences. Instead, they rely on impersonation and other social engineering techniques to trick people.
BEC scams use various impersonation techniques, such as domain spoofing and lookalike domains. With these techniques, the attacker might;
1. Spoof Email Accounts and Websites
Slight differences in legitimate addresses fool victims into thinking fake accounts are authentic.
2. Send Spear-Phishing Emails
These are messages believed to come from a trusted sender prompting victims to reveal confidential information to the attacker. The information allows the scammers to access company accounts, data, and calendars, giving them the needed details to carry out the BEC attacks.
3. Use Malware
Malicious software can be used to infiltrate the company networks to gain access to internal systems and data, especially to access legitimate emails about the invoices and billing of the company. This information is used to time requests to avoid raising the suspicions of the financial officers when a falsified wire transfer is submitted. Also, malware lets attackers gain access to the victim’s sensitive data, such as financial accounts information and passwords
Here is what happens in a Business Email Compromise scam:
i) Phase 1: Email List Targeting
The attackers research their targets, build a targeted list of emails, and figure out how to fake identity. Common tactics include sifting through business email databases, mining LinkedIn profiles, or searching various websites for contact information.
ii) Phase 2: Launch Attack
Once the attackers have access, they monitor emails to determine who can send or receive money. Also, they look at invoices and conversation patterns. Afterwards, they begin rolling out the BEC attacks by sending out mass emails. It’s difficult to detect malicious intent at this stage because attackers utilize techniques such as lookalike domains, spoofing, and fake email names.
iii) Phase 3: Social Engineering
At this stage, the scammers impersonate individuals in a company, such as CEOs or individuals within finance departments. It is common to receive emails that request urgent responses.
iv) Phase 4: Financial Gain
If attackers successfully build trust with an individual, this is the phase where they ask for gift cards, money, or information. The financial gain or data breach, which is the attack’s main aim, is made in this phase.
How to Protect Against Business Email Compromise Attacks
There are several ways to protect against business email compromise. Common techniques that can be employed include;
1. Anti-Phishing Protections
Business Email Compromise emails are a form of phishing. Therefore, deploying anti-phishing solutions is essential to protecting against them. An anti-phishing solution should be able to identify the red flags of BEC emails, for instance, reply-to email addresses that do not match source addresses and use artificial intelligence to analyze email language for signs of an attack.
2. Employee Education
BEC attacks target a company’s employees. This makes email security awareness training essential for cybersecurity. Training employees on how to spot and respond to a BEC attack is critical to minimizing the threats of this form of phishing.
Ensure everyone knows how to spot a domain and email address mismatch, phishing links, and other red flags. You can also simulate a Business Email Compromise scheme so that people can recognize one when it happens.
3. Separation of Duties
BEC scams attempt to trick employees into taking high-risk operations like sending sensitive information or money without verifying the request. Implementing policies requiring independent verification from a second party can help decrease the probability of successful attacks.
4. Labeling External Emails
BEC attacks often try impersonating internal email addresses using lookalike domains or domain spoofing. Configuring programs to label emails from outside the company as ‘external’ can help defeat this tactic. Also, you can do colour coding so that emails from employee accounts and those from non-employees are different colours.
5. Payment Verification
Ensure security by using additional two-factor authentication. You can verify payments in person or by calling to ensure they’re legitimate. Also, you should verify any changes in account details or payment procedures with the people making the requests.
6. Implement Multifactor Authentication (MFA)
Multifactor authentication is the most effective control to limit an attacker’s ability to use stolen credentials. Make your emails harder to compromise by turning on MFA, which requires a PIN, code, or fingerprint and your password to log in. In addition to mitigating BEC scams, MFA helps prevent credential-based attacks against a network perimeter and can slow the attacker’s lateral movement if they have access to a network.
Tips for Identifying and Avoiding BEC Scams
- Check email domains from suspicious mail against those from trusted contacts.
- Look for inconsistencies in font, logo, and colour and unusual spelling mistakes or date format changes.
- Be cautious when viewing condensed emails on mobile devices.
- Change passwords immediately if you suspect you may have been phished.
- Conduct a phishing assessment on your company to test employees’ awareness.
- Use network and endpoint security monitoring to identify suspicious user activities.
- Be especially suspicious if the requestor is insistent you act quickly.
The surface-level nature of Business Email Compromise attacks means they are here to stay. Therefore, companies and employees need to transform their processes, mindset, and security tools to be well-informed of the evolving Business Email Compromise attacks.
Featured Image Source: unsplash.com